Re: [CentOS] CentOS 6 and screenshot of website

[Jani Ollikainen]

On 4.1.2012 18:54, John Hodrien wrote:
>> I think maybe he wants command line tools...
>> But if that is not the case, there is the Screengrab! Firefox addon that can
>> screenshot a complete page, only the visible part, or just a selection...
> For a command line tool, how about 'import' from imagemagick.

Yes, the need was for automated command line tool which I can use 
without requiring any user interaction.

I don't see how import would do as one would need to have something
open up browser to some page and how could import know when the page
is opened and rendered etc.

The solution I'm looking is like the mentioned python scripts,
it hasn't have to be in python. But as long as it is able to
do it without user interaction.

gnome-python2-gtkhtml2 might be able to do it, as it has
/usr/share/doc/gnome-python2-gtkhtml2-2.25.3/simple-browser.py with
it.

But I'm not familiar with that so for me it's more easier
just to bite and compile mozembed and continue using the system I have.

I'm just wondering what has been RedHat's idea of not supporting
python with mozembed nor webkit and is there alternative that I don't 
know about. But based on first answers, maybe not.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 and screenshot of website

[Bart Schaefer]

On Thu, Jan 5, 2012 at 12:19 AM, Jani Ollikainen
 wrote:
>
> I'm just wondering what has been RedHat's idea of not supporting
> python with mozembed nor webkit and is there alternative that I don't
> know about. But based on first answers, maybe not.

This is very likely why RedHat dropped mozembed:

http://www.h-online.com/open/news/item/Mozilla-kills-embedding-support-for-Gecko-layout-engine-Update-1218990.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dhcp lease-time

[John Hodrien]

On Thu, 5 Jan 2012, Timothy Murphy wrote:

> Why is the default lease-time set to only 10 minutes (600 seconds)
> in /etc/dhcp/dhcpd.conf (CentOS-6.2) as distributed?

I assume the dull answer is: because that's what Redhat set it to.

> Why is not set to a much longer time?

What length do you think the correct default should be?

> Is there any disadvantage in doing that?
> Or conversely, is a short lease-time safer in some way?

Short lease times work better with very transient devices, since the IP
address is returned to the pool much faster when a machine disconnects but
doesn't release the DHCP lease.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 and screenshot of website

[Walter Haidinger]

Am 04.01.2012 10:46, schrieb Jani Ollikainen:
> How one is supposed to do screenshots of a website with CentOS 6?
For X11, there is xwd(1): X window dump.
Prompts you to click on a window and dumps its contents.

To "screenshot" a single window and save it as a jpeg, e.g.:

xwd | xwdtopnm | pnmtojpeg > window.jpg

Under CentOS 6, xwd is part of the xorg-x11-apps package,
xwdtopnm and pnmtojpeg come with netpbm-progs.

Hope that helps.

Walter

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] A simplistic parental-control setup

[Ljubomir Ljubojevic]

On 01/05/2012 01:21 AM, Marko Vojinovic wrote:
> On Wednesday 04 January 2012 18:04:43 Frank Cox wrote:
>> On Wed, 04 Jan 2012 23:58:17 + Marko Vojinovic wrote:
>>> The point is that I need a simple, easy-to-implement, easy-to-configure
>>> and easy-to-maintain solution for this particular usecase.
>>
>> Put the disallowed addresses into your /etc/hosts file and associate those
>> addresses with whatever you want them to resolve to.
>
> Hmm... that sure looks simple enough. :-) I'll give it a try, thanks!
>

/etc/hosts is local DNS server. It does not work when http://1.2.3.4/xxx 
is used. You need iptables/PREROUTING/redirect? rules for that.

Also, I think you will need some kind of http server, at least like 
lighttpd.



-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 and screenshot of website

[Walter Haidinger]

Am 05.01.2012 09:19, schrieb Jani Ollikainen:
> Yes, the need was for automated command line tool which I can use
> without requiring any user interaction.

Use option -id or -name of xwd(1) to specify the window, e.g:
xwd -id 0xc000c5 | xwdtopnm | pnmtojpeg > win.jpg

To find the id or name, parse the output of:
xwininfo -root -children

Walter


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dhcp lease-time

[Ljubomir Ljubojevic]

On 01/05/2012 09:54 AM, John Hodrien wrote:
> On Thu, 5 Jan 2012, Timothy Murphy wrote:
>
>> Why is the default lease-time set to only 10 minutes (600 seconds)
>> in /etc/dhcp/dhcpd.conf (CentOS-6.2) as distributed?
>
> I assume the dull answer is: because that's what Redhat set it to.
>
>> Why is not set to a much longer time?
>
> What length do you think the correct default should be?
>
>> Is there any disadvantage in doing that?
>> Or conversely, is a short lease-time safer in some way?
>
> Short lease times work better with very transient devices, since the IP
> address is returned to the pool much faster when a machine disconnects but
> doesn't release the DHCP lease.
>

Also, there should be distinction between default and max lease time. 
DHCP server uses default lease time too force DHCP client to "chek-in" 
in that time period. If device does not respond, then DHCP server will 
reuse that IP.

Max lease time is used to allow DHCP client so the traffic is lesser and 
after that time DHCP client will ask for renewal of the IP.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 and screenshot of website

[John Hodrien]

On Thu, 5 Jan 2012, Walter Haidinger wrote:

> Am 05.01.2012 09:19, schrieb Jani Ollikainen:
>> Yes, the need was for automated command line tool which I can use
>> without requiring any user interaction.
>
> Use option -id or -name of xwd(1) to specify the window, e.g:
> xwd -id 0xc000c5 | xwdtopnm | pnmtojpeg > win.jpg
>
> To find the id or name, parse the output of:
> xwininfo -root -children

But I think the bit that we both missed with his requirements is that he
ultimately wants to be able to do:

capture-website http://www.bbc.co.uk

and end up with a png of the website.

So he wants to be able to capture an image of what a website looks like from
the command line, and not really take a screenshot at all.

I think that's a fair summary anyway...

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 and screenshot of website

[Jani Ollikainen]

On 5.1.2012 13:52, John Hodrien wrote:
> So he wants to be able to capture an image of what a website looks like from
> the command line, and not really take a screenshot at all.
> I think that's a fair summary anyway...

Yes, well, not native english speaker so I would call those screenshots
of the website, or maybe screen capture would be better but it's still
almost the same :) If I would say picture of a website, it to me
would sound something less describing than screenshot.

I thought linking up two example programs doing it would describe
it. But it seems people didn't open/read the URLs. As the one was:
http://www.coderholic.com/pywebshot-generate-website-thumbnails-using-python/

"Here’s an example of running PyWebShot with 3 URLs, and the resulting 
images:

$ ./pywebshot.py -t 500x250 http://www.coderholic.com 
http://geomium.com/update/598/ http://jobs.plasis.co.uk
Loading http://www.coderholic.com... saved as www.coderholic.com.png
Loading http://geomium.com/update/598/... saved as 
geomium.com.update.598..png
Loading http://jobs.plasis.co.uk... saved as jobs.plasis.co.uk.png"

But your capture-website example is good description what I'm looking 
for that would work on the components available in CentOS 6 (or
some well known 3rd party repository, not replacing too much of
the normal system).

Now my solution was to compile gnome-python2-extras with changes to 
.spec and as some one commented Mozilla has dropped support for
gtkmozembed so that solution doesn't seem to be long lived and
some other option would be nice.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dhcp lease-time

[Timothy Murphy]

John Hodrien wrote:

> On Thu, 5 Jan 2012, Timothy Murphy wrote:
> 
>> Why is the default lease-time set to only 10 minutes (600 seconds)
>> in /etc/dhcp/dhcpd.conf (CentOS-6.2) as distributed?
> 
> I assume the dull answer is: because that's what Redhat set it to.

Let me re-word the query for you:
Why does Redhat set the default lease-time to only 10 minutes (600 seconds)
 
>> Why is not set to a much longer time?
> 
> What length do you think the correct default should be?

I see various much longer times on the web, eg (at random)

-
default-lease-time 21600;
# Amount of time in seconds that a client may keep the IP address
max-lease-time 43200;
-

>> Is there any disadvantage in doing that?
>> Or conversely, is a short lease-time safer in some way?
> 
> Short lease times work better with very transient devices, since the IP
> address is returned to the pool much faster when a machine disconnects but
> doesn't release the DHCP lease.

I suppose this might make sense if more than 100 devices
might join the network.
This would be unlikely in my case (a home network),
where almost all the devices have static IP addresses.


-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College Dublin


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dhcp lease-time

[Timothy Murphy]

Ljubomir Ljubojevic wrote:

> Also, there should be distinction between default and max lease time.
> DHCP server uses default lease time too force DHCP client to "chek-in"
> in that time period. If device does not respond, then DHCP server will
> reuse that IP.
> 
> Max lease time is used to allow DHCP client so the traffic is lesser and
> after that time DHCP client will ask for renewal of the IP.

When is the max lease time used, as a matter of interest?
Looking at /var/log/messages on my home server,
it seems each device is checked after half the default time,
ie every 5 minutes.


-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College Dublin


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dhcp lease-time

[Les Mikesell]

On Thu, Jan 5, 2012 at 7:07 AM, Timothy Murphy  wrote:
> Ljubomir Ljubojevic wrote:
>
>> Also, there should be distinction between default and max lease time.
>> DHCP server uses default lease time too force DHCP client to "chek-in"
>> in that time period. If device does not respond, then DHCP server will
>> reuse that IP.
>>
>> Max lease time is used to allow DHCP client so the traffic is lesser and
>> after that time DHCP client will ask for renewal of the IP.
>
> When is the max lease time used, as a matter of interest?
> Looking at /var/log/messages on my home server,
> it seems each device is checked after half the default time,
> ie every 5 minutes.

Devices aren't 'checked' by the server.  It is up to the client to
renew the lease and they normally try when the lease is halfway up if
they are powered on and connected.  But the IP stays reserved for the
MAC address that has it until the max time and the client will
normally request (and get) the IP it had last time unless it has been
given out to something else.

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] EXTERNAL: Re: turning off udev for eth0

[Massey, Ricky]

We use the following from a kickstart script using the PCI bus location for the 
NICs:

echo "ID==\":04:04.0\", NAME=\"eth0\"" >> 
/etc/udev/rules.d/70-netrename.rules
echo "ID==\":05:00.0\", NAME=\"eth0\"" >> 
/etc/udev/rules.d/70-netrename.rules 
echo "ID==\":05:01.0\", NAME=\"eth0\"" >> 
/etc/udev/rules.d/70-netrename.rules


-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of 
Les Mikesell
Sent: Wednesday, January 04, 2012 11:43 AM
To: CentOS mailing list
Subject: EXTERNAL: Re: [CentOS] turning off udev for eth0

On Wed, Jan 4, 2012 at 8:22 AM, Denniston, Todd A CIV NAVSURFWARCENDIV
Crane  wrote:
>>> > It's a very common problem. Another way is to have a %post script in KS
>> > or after initial startup as a VM, that fixes the file based on what the
>> > VM properties are.
>>
>> It happens in real hardware too if you move a disk to a different
>> chassis, clone a drive, restore a backup to similar hardware, etc.
>>
>> Where is the best documentation on what triggers the rules to be
>> rewritten, how the bios location works, etc.?
>
> I gave up on tricking UDEV, it was easier to work with the system with my 
> clones.
> `system-config-network-cmd -e` yields a text file that, you can have either a 
> firstboot script or the booting sysadm,
> `system-config-network-cmd -i -c -f file.txt` will pull back in and 
> reconfigure the system after ifdown'ing eth0.
> For good measure I also blanked (and restorecon'd) resolv.conf and hosts 
> prior to pulling in the file.
>

Thanks, but does that control the device naming order?  My boxes
generally have 4 to 6 NICs, with at least 2 active.  Every time I
touch something the system wants to change the names around.  With
5.x, once the MAC addresses were known and in the ifcfg-* files the
names generally were stable unless something triggered kudzu to run
and replace them.   With 6.x even that is not reliable.  I need
something that will tie the ip config to a certain physical nic and
keep it there.   Sometimes I know the MAC addresses ahead of time when
cloning.  Should I expect substituting them into this file to nail
things down or is udev still involved separately?

-- 
   Les Mikesell
  lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux context for mm-handler?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/04/2012 05:37 PM, Paul Heinlein wrote:
> I've got a Mailman installation running on CentOS 4 that I'd like
> to migrate to a CentOS 6 box.
> 
> My big obstacle at present is getting Mailman's mm-handler Perl 
> script to run as a Sendmail local mailer with SELinux enabled.
> 
> I've tried changing mm-handler's selinux context type a few times,
> but nothing has resulted in success:
> 
> context  result ---
> - etc_mail_t
> sendmail can't execute mm-handler mailman_mail_exec_t  mm-handler
> can't load perl modules bin_tmm-handler can't read
> Mailman data sendmail_exec_t  mm-handler can't read Mailman
> data
> 
> I'm willing and able to whip up a local policy modification, but I
>  thought I'd ask if there's a standard solution to this problem; my
>  Google searches have so far proven ineffective at providing
> pointers to an answer.
> 
Set it back to its default label and then tell me what AVC messages
you are seeing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8FrfMACgkQrlYvE4MpobP6FwCeMqGBjI9Qz36livyfx1ezRjLK
F/oAniZAQKY5u+T3qmRQmODnKVH4Q8fC
=rwIZ
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sa-update error with perl

[John Doe]

From: email builder 

> Hmm, OK, prioritze CentOS repo over RepoForge then will yum update
> figure out the rest?  I don't see any priority settings in my yum conf 
> files...

# yum list | grep priorities
yum-priorities.noarch  1.1.16-16.el5.centos    installed

# cat /etc/yum/pluginconf.d/priorities.conf 
[main]
enabled = 1
check_obsoletes=1

Then add "priority=n" to the repos sections.
n=1 for CentOS
n=2 for repo 2
etc...

> Interestingly, I get this:
> rpm -q --whatrequires perl-IO-Socket-INET6
> no package requires perl-IO-Socket-INET6

# rpm -q --provides perl-IO-Socket-INET6
perl(IO::Socket::INET6) = 2.51
perl-IO-Socket-INET6 = 2.51-2.fc6

# rpm -q --whatrequires "perl(IO::Socket::INET6)"
spamassassin-3.3.1-2.el5

JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 and screenshot of website

[nux]

Jani Ollikainen writes:

> Hi,
> 
> How one is supposed to do screenshots of a website with CentOS 6?

If you're not looking for something strictly command line I've found Shutter 
to be the most excellent screenshotting tool.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] yum warning...

[John Doe]

Hey,

>From time to time I catch a yum warning.
Last time it was today:

# yum update

...

Downloading Packages:
vsftpd-2.2.2-6.el6_2.1.x86_64.rpm | 149 kB 
00:01 
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Updating   : 
vsftpd-2.2.2-6.el6_2.1.x86_64 1/2 
  Cleanup    : 
vsftpd-2.2.2-6.el6_0.1.x86_64 2/2 
Updated:
  vsftpd.x86_64 
0:2.2.2-6.el6_2.1  
 
Complete!

How come a simple update of a a single package from CentOS update 

would "alter RPMDB outside of yum"...?
Could that be a plugin?
  yum-3.2.29-22.el6.centos.noarch
  yum-metadata-parser-1.1.2-16.el6.x86_64
  yum-plugin-fastestmirror-1.1.30-10.el6.noarch
  yum-plugin-priorities-1.1.30-10.el6.noarch
  yum-utils-1.1.30-10.el6.noarch

Anyone else?


Thx,
JD

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum warning...

[John Hodrien]

On Thu, 5 Jan 2012, John Doe wrote:


How come a simple update of a a single package from CentOS update

would "alter RPMDB outside of yum"...?
Could that be a plugin?
  yum-3.2.29-22.el6.centos.noarch
  yum-metadata-parser-1.1.2-16.el6.x86_64
  yum-plugin-fastestmirror-1.1.30-10.el6.noarch
  yum-plugin-priorities-1.1.30-10.el6.noarch
  yum-utils-1.1.30-10.el6.noarch

Anyone else?


It's not saying it's just done that, it's saying that someone's added/removed
packages using rpm not yum.  Is that something you're likely to have done?  If
so, and you're okay with that, don't worry about the warning too much.

jh___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum warning...

[John R Pierce]

On 01/05/12 6:17 AM, John Doe wrote:
> How come a simple update of a a single package from CentOS update
>
> would "alter RPMDB outside of yum"...?

I've gotten those messages when I've installed an RPM without using yum.


-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dhcp lease-time

[Johnny Hughes]

On 01/05/2012 07:03 AM, Timothy Murphy wrote:
> John Hodrien wrote:
>
>> On Thu, 5 Jan 2012, Timothy Murphy wrote:
>>
>>> Why is the default lease-time set to only 10 minutes (600 seconds)
>>> in /etc/dhcp/dhcpd.conf (CentOS-6.2) as distributed?
>> I assume the dull answer is: because that's what Redhat set it to.
> Let me re-word the query for you:
> Why does Redhat set the default lease-time to only 10 minutes (600 seconds)

That is the correct question.  The default upstream is 24 hours.





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] A simplistic parental-control setup

[Marko Vojinovic]

On Thursday 05 January 2012 11:16:05 Ljubomir Ljubojevic wrote:
> On 01/05/2012 01:21 AM, Marko Vojinovic wrote:
> > On Wednesday 04 January 2012 18:04:43 Frank Cox wrote:
> >> On Wed, 04 Jan 2012 23:58:17 + Marko Vojinovic wrote:
> >>> The point is that I need a simple, easy-to-implement,
> >>> easy-to-configure
> >>> and easy-to-maintain solution for this particular usecase.
> >> 
> >> Put the disallowed addresses into your /etc/hosts file and associate
> >> those addresses with whatever you want them to resolve to.
> > 
> > Hmm... that sure looks simple enough. :-) I'll give it a try, thanks!
> 
> /etc/hosts is local DNS server. It does not work when http://1.2.3.4/xxx
> is used. You need iptables/PREROUTING/redirect? rules for that.
> 
> Also, I think you will need some kind of http server, at least like
> lighttpd.

Yes, it turns out that /etc/hosts doesn't handle all requirements that I asked 
for.

Shouldn't there be a firefox plugin, or something similar, that would take care 
of all this? I cannot believe that "parental control software" is something so 
uncommon... :-)

Best, :-)
Marko



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] A simplistic parental-control setup

[Marko Vojinovic]

On Thursday 05 January 2012 01:39:49 Ljubomir Ljubojevic wrote:
> On 01/05/2012 12:58 AM, Marko Vojinovic wrote:
> > I am looking at the simplest (implementation-wise) solution to the
> > following problem (on CentOS 6.2):
> > 
> > I have a list of web addresses (like http://www.example.com,
> > https://1.2.3.4/, etc.) that should be "forbidden" to access from a
> > particular host. On access attempt, the browser should be redirected to
> > a local web page (file on the hard disk) with the explanation that
> > those addresses are forbidden. The possible ways of disallowed access
> > include:
> > 
> > * typing www.example.com or http://1.2.3.4/ in the browser
> > * typing www.example.com/anyfolder/somefile.html in the browser
> > * clicking on www.example.com when listed as a link on some other web
> > site (say, Google search results)
> > * nothing else.
> > 
> > The last point above assumes that the users will never try any other
> > method of accessing the site. These user's knowledge about computers in
> > general is known to be elementary, so I don't need protection against
> > geniouses who can figure out some obscure way to circumvent the
> > lockdown (and please don't tell me that this is an irrational
> > assumption, I know it is...).
> > 
> > If possible, all this should be on a "per user" basis, but if
> > implementing it system-wide would be much simpler, I could live with
> > it. :-)
> > 
> > The point is that I need a simple, easy-to-implement, easy-to-configure
> > and easy-to-maintain solution for this particular usecase. What I don't
> > need is some over-engineered solution that covers my usecase along with
> > a whole bunch of stuff I will never need, and takes two months to
> > configure properly. It should also be F/OSS, preferably included in
> > CentOS repos or elsewhere.
> > 
> > Or alternatively I could go along with manually setting up a bogus
> > httpd/dns/iptables configuration which would do all this, but I have a
> > feeling that it would not be the easiest thing to maintain...
> > 
> > I'd appreciate any suggestions. :-)
> 
> There is squidguard in RepoForge repository. It's a plugin for squid.
> There is also dansguardian.

I'll take a look at both of these, thanks! :-)
 
> If you use separate firewall box, you can use ClearOS, it has
> dansguardian set up.

No, the machine is already installed with CentOS. Furthermore, I am supposed 
to set up all this remotely (via ssh), since I don't have physical access to 
the box itself...

Best, :-)
Marko






___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Johnny Hughes]

On 01/04/2012 07:47 PM, Bennett Haselton wrote:
> On 1/4/2012 1:59 PM, Lamar Owen wrote:
>> [Distilling to the core matter; everything else is peripheral.]
>>
>> On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote:
>>> To be absolutely clear: Do you, personally, believe there is more than a
>>> 1 in a million chance that the attacker who got into my machine, got it
>>> by brute-forcing the password?  As opposed to, say, using an underground
>>> exploit?
>> Here's how I see it breaking down:
>>
>> 1.) Attacker uses apache remote exploit (or other means) to obtain 
>> your /etc/shadow file (not a remote shell, just GET the file without 
>> that fact being logged);
>> 2.) Attacker runs cloud-based (and/or CUDA accelerated) brute-forcer 
>> on 10,000,000 machines against your /etc/shadow file without your 
>> knowledge;
>> 3.) Some time passes;
>> 4.) Attacker obtains your password using distributed brute forcing of 
>> the hash in the window of time prior to you resetting it;
>> 5.) Attacker logs in since you allow password login.  You're pwned by 
>> a non-login brute-force attack.
>>
>> In contrast, with ssh keys and no password logins allowed:
>>
>> 1.) Attacker obtains /etc/shadow and cracks your password after some 
>> time;
>> 2.) Attacker additionally obtains /root/.ssh/*
>> 3.) Attacker now has your public key.  Good for them; public keys 
>> don't have to be kept secure since it is vastly more difficult to 
>> reverse known plaintext, known ciphertext, and the public key into a 
>> working private key than it is to brute-force the /etc/shadow hash 
>> (part of the difficulty is getting all three required components to 
>> successfully reverse your private key; the other part boils down to 
>> factoring and hash brute-forcing);
>> 4.) Attacker also has root's public and private keys, if there is a 
>> pair in root's ~/.ssh, which may or may not help them.  If there's a 
>> passphrase on the private key, it's quite difficult to obtain that 
>> from the key;
>> 5.) Attacker can't leverage either your public key or root's key pair 
>> (or the machine key; even if they can leverage that to do MitM (which 
>> they can and likely will) that doesn't help them obtain your private 
>> key for authentication;
>> 6.) Attacker still can't get in because you don't allow password 
>> login, even though attacker has root's password.
>>
>> This only requires an apache httpd exploit that allows reading of any 
>> file; no files have to be modified and no shells have to be acquired 
>> through any exploits.  Those make it faster, for sure; but even then 
>> the attacker is going to acquire your /etc/shadow as one of the first 
>> things they do; the next thing they're going to do is install a 
>> rootkit with a backdoor password.
>>
>> Brute-forcing by hash-cracking, not by attempting to login over ssh, 
>> is what I'm talking about.
> I acknowledged that the first time I replied to someone's post saying a 
> 12-char password wasn't secure enough.  I hypothesized an attacker with 
> the fastest GPU-driven password cracker in the world (even allowing for 
> 100-factor improvements in coming years) and it would still take 
> centuries to break.  I understand about brute-forcing the hash vs. 
> brute-forcing the login, but some others had posted about brute-forcing 
> the login specifically and I was commenting on how ridiculous that was.
>
>> This is what I mean when I say 'multilayer metasploit-driven attacks.'
>>
>> The weakest link is the security of /etc/shadow on the server for 
>> password auth (unless you use a different auth method on your server, 
>> like LDAP or other, but that just adds a layer, making the attacker 
>> work harder to get that all-import password).  Key based auth is 
>> superior, since the attacker reading any file on your server cannot 
>> compromise the security.
>>
>> Kerberos is better still.
>>
>> Now, the weakest link for key auth is the private key itself.  But 
>> it's better protected than any password is (if someone can swipe your 
>> private key off of your workstation you have bigger problems, and they 
>> will have your /etc/shadow for your workstation, and probably a 
>> backdoor.).  The passphrase is also better protected than the 
>> typical MD5 hash password, too.
>>
>> It is the consensus of the security community that key-based 
>> authentication with strong private key passphrases is better than any 
>> password-only authentication, and that consensus is based on facts 
>> derived from evidence of actual break-ins. 
> Well yes, on average, password-authentication is going to be worse 
> because it includes people in the sample who are using passwords like 
> "Patricia".  Did they compare the break-in rate for systems with 12-char 
> passwords vs. systems with keys?
>
> I have nothing in particular against ssh keys - how could anybody be 
> "against ssh keys"? :)  My point was that when I asked "How did 
> attackers probably get in, given that the password was a random 
>

Re: [CentOS] yum warning...

[Marko Vojinovic]

On Thursday 05 January 2012 06:17:17 John Doe wrote:
> # yum update
> ...
> Downloading Packages:
> vsftpd-2.2.2-6.el6_2.1.x86_64.rpm | 149
> kB 00:01 Running rpm_check_debug
> Running Transaction Test
> Transaction Test Succeeded
> Running Transaction
> Warning: RPMDB altered outside of yum.
>   Updating   :
> vsftpd-2.2.2-6.el6_2.1.x86_64 1/2
> Cleanup:
> vsftpd-2.2.2-6.el6_0.1.x86_64 2/2
> Updated:
>   vsftpd.x86_64
> 0:2.2.2-6.el6_2.1  
>  Complete!
> 
> How come a simple update of a a single package from CentOS update
> would "alter RPMDB outside of yum"...?

The warning is generated by yum, saying that its own database of installed 
packages does not match the rpm database. This basically means that sometime 
back you have used rpm directly to install/remove some package, circumventing 
yum. You are not supposed to install rpm packages behind yum's back. :-)

The warning has nothing to do with the vsftpd package which is being updated 
in this instance. It's rather yum performing the database check when the 
transaction starts.

HTH, :-)
Marko



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum warning...

[John Doe]

From: John Hodrien 

> On Thu, 5 Jan 2012, John Doe wrote:
>>  How come a simple update of a a single package from CentOS update
>>  would "alter RPMDB outside of yum"...?
> It's not saying it's just done that, it's saying that someone's 
> added/removed packages using rpm not yum.

Ah, now that I reread the sentence, I get it...

Thx!
JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum warning...

[Nicolas Thierry-Mieg]

John R Pierce wrote:
> On 01/05/12 6:17 AM, John Doe wrote:
>> How come a simple update of a a single package from CentOS update
>>
>> would "alter RPMDB outside of yum"...?
>
> I've gotten those messages when I've installed an RPM without using yum.

yes, it appears yum is trying to become more than a depsolver and 
frontend for the package manager, ie rpm. Meaning we'll have fewer 
options available... depsolver lock-in?
oh well...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum warning...

[John Hodrien]

On Thu, 5 Jan 2012, Nicolas Thierry-Mieg wrote:

> yes, it appears yum is trying to become more than a depsolver and
> frontend for the package manager, ie rpm. Meaning we'll have fewer
> options available... depsolver lock-in?
> oh well...

Don't take it that seriously.  It's a warning, you're free to ignore it.  If
you use something like spacewalk, using yum to remove a package has the
advantage that spacewalk is immediately aware you've done it.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] c6, LSI megaraid drive failure notification

[Craig White]

On Jan 4, 2012, at 7:08 PM, John R Pierce wrote:

> On 12/22/11 1:32 PM, Craig White wrote:
>> On Dec 22, 2011, at 1:12 PM, John R Pierce wrote:
>> 
 i'm configuring a storage server with CentOS 6.2, it uses a LSI MegaRAID
 SAS controller, I'm using LSI's megacli to configure the storage...
 Any ideas on how to get drive failure notifications out of this
 system?   I'm configuring hot spares but I'd still like some sort of
 notification when a drive has failed so the spare can be replaced.
>> 
>> don't know how to do it on CentOS but on Ubuntu, I use megaclisas-status 
>> package which goes hand in hand with megacli and it sends notifications.
>> 
>> If you want, I can e-mail you the megaclisas-status script from /usr/sbin 
>> and beyond that, there's a sysv initscript that periodically checks and 
>> sends an e-mail. Simple enough.
> 
> 
> not having much  luck locating that megaclisas-status script
> 
> http://hwraid.le-vert.net/wiki/LSIMegaRAIDSAS talks about it, but the 
> source is nowhere to be found

It seems to me that the megaclisas-statusd is basically 2 script files, 1 in 
/usr/sbin and the other a sysv initscript and should be easily modifiable to 
run on CentOS instead of Debian/Ubuntu with the requirement that you would need 
to have megacli installed/running. I agree that I couldn't find any rpm's of 
the same.

Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Corrupt mbr and disk directory map

[Billy Davis]

We are running Centos 5.6.  All was fine until yesterday.  I attempted 
to tar a 14KB work file to a USB floppy  (/dev/sdb) for transport to 
another server.  Unfortunately, I keyed in 'tar cvf /dev/sda filename' 
instead of 'tar cvf /dev/sdb filename'.   /dev/sda is our main 
(boot/root/apps) scsi hard drive.   I realized my mistake, but it was 
too late.  The system is still powered up and running, but I am sure 
that I have overlaid (and trashed) the mbr and the disk directory map.

When I run the 'fdisk /dev/sda' command, the console displays:

"Device contains neither a valid DOS partition table, nor Sun, SGI or 
OSF disklabel.  Building a new DOS disklabel.  Changes will remain in 
memory only, until you decide to write them.  After that, of course, the 
previous content won't be recoverable."

When I run grub and enter 'find /grub/stage1', the console displays 
"Error 15: File not found"

I suspect that when I power the system down, it will not reboot.  I can 
reinstall mbr and grub, but I don't have the original partition table 
start/end values.  Since the system is still running, it seems that the 
partition table must still be available to it from somewhere.

Is there any way to easily restore the partition table?

The system is completely backed up and can be restored if necessary, but 
I prefer a quick and simple solution, if possible.

Any ideas?
Thanks


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 and screenshot of website

[Walter Haidinger]

Am 05.01.2012 12:52, schrieb John Hodrien:
> So he wants to be able to capture an image of what a website looks like from
> the command line, and not really take a screenshot at all.

Indeed, as there is no screen...

This is diffcult, as websites need to be rendered
and one just has to google for ACID-3 to see that
this not that straightforward.

> I think that's a fair summary anyway...

Yes, thanks for the clarification!

As a workaround, I'd use a "virtual" screen, i.e.
automate the tasks that would have to be done for
a "real" screenshot. This can be scripted without
any user interaction:

* Run Xvnc in the desired resolution/depth
  Sort of a headless X11, debug by connecting via VNC
* setup authentication using xauth (or even xhost if desperate)
* export $DISPLAY to access it
* open the URL to "screenshot" in firefox/chrome/opera, e.g.
  firefox -height x -width y "$url"
  (the -height and -width options still work, right?)
* run xwininfo and grep for the name of the browser window
  to get the windows id
* Screenshot it:
  xwd -id $browserid | xwdtopnm | pnmtojpeg > website.jpg
* kill firefox process
* kill Xvnc if no more screenshots are needed

All steps can also be done manually, therefore
debugging should be easily step by step.

Walter
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] A simplistic parental-control setup

[John Doe]

From: Marko Vojinovic 

> Shouldn't there be a firefox plugin, or something similar, that would take 
> care of all this? I cannot believe that "parental control software" is 
> something so uncommon... :-)

Try to google "firefox parental control" and click on the first result...  ^_^

JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] A simplistic parental-control setup

[Pete Travis]

It won't help more than /etc/hosts entries, but I've found using OpenDNS
with a free account and a script / client to keep the IP in sync to be very
effective. DNS redirects can be applied categorically or with a per domain
blacklist.  The metrics and charts are interesting too, on a nicely basis
or to check on what's slipping through the filters.

--Pete
On Jan 5, 2012 7:47 AM, "Marko Vojinovic"  wrote:

> On Thursday 05 January 2012 01:39:49 Ljubomir Ljubojevic wrote:
> > On 01/05/2012 12:58 AM, Marko Vojinovic wrote:
> > > I am looking at the simplest (implementation-wise) solution to the
> > > following problem (on CentOS 6.2):
> > >
> > > I have a list of web addresses (like http://www.example.com,
> > > https://1.2.3.4/, etc.) that should be "forbidden" to access from a
> > > particular host. On access attempt, the browser should be redirected to
> > > a local web page (file on the hard disk) with the explanation that
> > > those addresses are forbidden. The possible ways of disallowed access
> > > include:
> > >
> > > * typing www.example.com or http://1.2.3.4/ in the browser
> > > * typing www.example.com/anyfolder/somefile.html in the browser
> > > * clicking on www.example.com when listed as a link on some other web
> > > site (say, Google search results)
> > > * nothing else.
> > >
> > > The last point above assumes that the users will never try any other
> > > method of accessing the site. These user's knowledge about computers in
> > > general is known to be elementary, so I don't need protection against
> > > geniouses who can figure out some obscure way to circumvent the
> > > lockdown (and please don't tell me that this is an irrational
> > > assumption, I know it is...).
> > >
> > > If possible, all this should be on a "per user" basis, but if
> > > implementing it system-wide would be much simpler, I could live with
> > > it. :-)
> > >
> > > The point is that I need a simple, easy-to-implement, easy-to-configure
> > > and easy-to-maintain solution for this particular usecase. What I don't
> > > need is some over-engineered solution that covers my usecase along with
> > > a whole bunch of stuff I will never need, and takes two months to
> > > configure properly. It should also be F/OSS, preferably included in
> > > CentOS repos or elsewhere.
> > >
> > > Or alternatively I could go along with manually setting up a bogus
> > > httpd/dns/iptables configuration which would do all this, but I have a
> > > feeling that it would not be the easiest thing to maintain...
> > >
> > > I'd appreciate any suggestions. :-)
> >
> > There is squidguard in RepoForge repository. It's a plugin for squid.
> > There is also dansguardian.
>
> I'll take a look at both of these, thanks! :-)
>
> > If you use separate firewall box, you can use ClearOS, it has
> > dansguardian set up.
>
> No, the machine is already installed with CentOS. Furthermore, I am
> supposed
> to set up all this remotely (via ssh), since I don't have physical access
> to
> the box itself...
>
> Best, :-)
> Marko
>
>
>
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS6 and tilde expansion

[isdtor]

Set up NIS and autofs on this new CentOS6 box, but it seems tilde
expansion no longer works in bash?

[root@frodo ~]# cd ~john
-bash: cd: ~john: No such file or directory
[root@frodo ~]# cd /home/john
[root@frodo john]# pwd
/home/john
[root@frodo john]#

It still works in t/csh:

[root@frodo ~]# /bin/csh
[root@frodo ~]# cd ~john
[root@frodo ~john]# pwd
/home/john
[root@frodo ~john]#

I couldn't find anything in the bash man page that suggests this
feature needs explicit configuration.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] A simplistic parental-control setup

[wwp]

Hello John,


On Thu, 5 Jan 2012 08:00:29 -0800 (PST) John Doe  wrote:

> From: Marko Vojinovic 
> 
> > Shouldn't there be a firefox plugin, or something similar, that would take 
> > care of all this? I cannot believe that "parental control software" is 
> > something so uncommon... :-)
> 
> Try to google "firefox parental control" and click on the first result...  ^_^

This assertion is not reliable, unless you did it intentionally? Results
brought by googles are not the same here and there..


Regards,

-- 
wwp


signature.asc
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS6 and tilde expansion

[John Hodrien]

On Thu, 5 Jan 2012, isdtor wrote:

> Set up NIS and autofs on this new CentOS6 box, but it seems tilde
> expansion no longer works in bash?
>
> [root@frodo ~]# cd ~john
> -bash: cd: ~john: No such file or directory
> [root@frodo ~]# cd /home/john
> [root@frodo john]# pwd
> /home/john
> [root@frodo john]#
>
> It still works in t/csh:
>
> [root@frodo ~]# /bin/csh
> [root@frodo ~]# cd ~john
> [root@frodo ~john]# pwd
> /home/john
> [root@frodo ~john]#
>
> I couldn't find anything in the bash man page that suggests this
> feature needs explicit configuration.

It's not generally true, tilde works just as expected here on C6 with bash.
Perhaps something's been cached by bash from when NIS was setup incorrectly?

I'd assume cd ~root would work if that was the case.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Corrupt mbr and disk directory map

[m . roth]

Billy Davis wrote:
> We are running Centos 5.6.  All was fine until yesterday.  I attempted
> to tar a 14KB work file to a USB floppy  (/dev/sdb) for transport to
> another server.  Unfortunately, I keyed in 'tar cvf /dev/sda filename'
> instead of 'tar cvf /dev/sdb filename'.   /dev/sda is our main
> (boot/root/apps) scsi hard drive.   I realized my mistake, but it was
> too late.  The system is still powered up and running, but I am sure
> that I have overlaid (and trashed) the mbr and the disk directory map.

> I suspect that when I power the system down, it will not reboot.  I can

You have that right.

> reinstall mbr and grub, but I don't have the original partition table
> start/end values.  Since the system is still running, it seems that the
> partition table must still be available to it from somewhere.
>
> Is there any way to easily restore the partition table?

Easily? No (other than the grub-install /dev/sda part).

Sorry about your problem, but I appreciate the question: it led me to
, a fair bit
of which was quite familiar, and other bits weren't. For example, cat
/proc/partitions might give you a serious bit of the information you're
looking for.

Hope that helps.

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS6 and tilde expansion

[m . roth]

isdtor wrote:
> Set up NIS and autofs on this new CentOS6 box, but it seems tilde
> expansion no longer works in bash?
>
> [root@frodo ~]# cd ~john
> -bash: cd: ~john: No such file or directory
> [root@frodo ~]# cd /home/john

Works jes' fine for me. There's something either in your environment, or
some option that's gotten munged. Please note what you pasted: the PS1
shows you being in your home... with a tilde.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] A simplistic parental-control setup

[Ljubomir Ljubojevic]

On 01/05/2012 05:11 PM, wwp wrote:
> Hello John,
>
>
> On Thu, 5 Jan 2012 08:00:29 -0800 (PST) John Doe  wrote:
>
>> From: Marko Vojinovic
>>
>>> Shouldn't there be a firefox plugin, or something similar, that would take
>>> care of all this? I cannot believe that "parental control software" is
>>> something so uncommon... :-)
>>
>> Try to google "firefox parental control" and click on the first result...  
>> ^_^
>
> This assertion is not reliable, unless you did it intentionally? Results
> brought by googles are not the same here and there..
>
>

then open Add-on in Firefox and search for "parental control". You will 
get 9 options to choose from.

If you run CentOS on Desktop system, use Firefox 9.0.1 from Remi's 
repository. It is several times faster then 3.x versions, even 30% 
faster then 8.0.

I initially wrote all mentioned options but deleted them since you asked 
for solution for entire system. What is kid uses Konqueror? you then 
have to uninstall all other browsers.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS6 and tilde expansion

[isdtor]

> It's not generally true, tilde works just as expected here on C6 with bash.
> Perhaps something's been cached by bash from when NIS was setup incorrectly?

That's most likely it. All is working fine after a reboot.

> I'd assume cd ~root would work if that was the case.

It does.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS-announce Digest, Vol 83, Issue 2

[centos-announce-request]

Send CentOS-announce mailing list submissions to
centos-annou...@centos.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org

You can reach the person managing the list at
centos-announce-ow...@centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CEBA-2012:0002 CentOS 5 gnome-screensaver Update (Johnny Hughes)


--

Message: 1
Date: Thu, 5 Jan 2012 14:28:46 +
From: Johnny Hughes 
Subject: [CentOS-announce] CEBA-2012:0002 CentOS 5 gnome-screensaver
Update
To: centos-annou...@centos.org
Message-ID: <20120105142846.ga21...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Bugfix Advisory 2012:0002 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2012-0002.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
3e54b38e91dd4095ec5552733306535d993a51b4678c2a1db5dbbec91b13256f  
gnome-screensaver-2.16.1-8.el5_7.4.i386.rpm

x86_64:
83d89da2e6cb1e777858a981d9dc72244b068d86adb427832325242c063b88ee  
gnome-screensaver-2.16.1-8.el5_7.4.x86_64.rpm

Source:
d3efc85e6d01e35f04509fd7986e2433a391020e01f35805cac13b0243287b00  
gnome-screensaver-2.16.1-8.el5_7.4.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net



--

___
CentOS-announce mailing list
centos-annou...@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce


End of CentOS-announce Digest, Vol 83, Issue 2
**
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Les Mikesell]

On Wed, Jan 4, 2012 at 8:12 PM, Bennett Haselton  wrote:
>>
>>> Yes, the totality of SELinux restrictions sounds like it could make a
>>> system more secure if it helps to guard against exploits in the services
>>> and the OS.  My point was that some individual restrictions may not make
>>> sense.
>> There is a wrong premise here as well. The idea of SELinux is "if it is not
>> known to be safe/necessary, restrict it", regardless of whether that
>> restriction "makes sense" or not.
>>
> Even if my random password generator has nonrandomness which
> takes away 20 bits of randomness from the result, your odds of guessing
> it are still only 1 in 10^15 -- not so worrisome anymore.
>
> Look, people are perfectly free to believe that 12-char passwords are
> insecure if they want.  Nobody's stopping you, and it certainly won't
> make you *less* secure, if it motivates you to use to ssh keys.  Again,
> my problem was that the "passwords" mantra virtually shut down the
> discussion, and I had to keep pressing the point for over 100 messages
> in the thread before someone offered a suggestion that addressed the
> real problem, which is exploits in the web server and the operating system.

The real point which you don't seem to have absorbed yet, is that it
doesn't work to count on some specific difficulty in the path of an
expected attack.   The attacker will use a method you didn't expect.
You are right that there is a low probability of a single attacker
succeeding starting from scratch with brute force network password
guessing on a single target.  But that doesn't matter, does it?

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 and screenshot of website

[Ljubomir Ljubojevic]

On 01/05/2012 01:53 PM, Jani Ollikainen wrote:
> On 5.1.2012 13:52, John Hodrien wrote:
>> So he wants to be able to capture an image of what a website looks like from
>> the command line, and not really take a screenshot at all.
>> I think that's a fair summary anyway...
>
> Yes, well, not native english speaker so I would call those screenshots
> of the website, or maybe screen capture would be better but it's still
> almost the same :) If I would say picture of a website, it to me
> would sound something less describing than screenshot.
>
> I thought linking up two example programs doing it would describe
> it. But it seems people didn't open/read the URLs. As the one was:
> http://www.coderholic.com/pywebshot-generate-website-thumbnails-using-python/
>
> "Here’s an example of running PyWebShot with 3 URLs, and the resulting
> images:
>
> $ ./pywebshot.py -t 500x250 http://www.coderholic.com
> http://geomium.com/update/598/ http://jobs.plasis.co.uk
> Loading http://www.coderholic.com... saved as www.coderholic.com.png
> Loading http://geomium.com/update/598/... saved as
> geomium.com.update.598..png
> Loading http://jobs.plasis.co.uk... saved as jobs.plasis.co.uk.png"
>
> But your capture-website example is good description what I'm looking
> for that would work on the components available in CentOS 6 (or
> some well known 3rd party repository, not replacing too much of
> the normal system).
>
> Now my solution was to compile gnome-python2-extras with changes to
> .spec and as some one commented Mozilla has dropped support for
> gtkmozembed so that solution doesn't seem to be long lived and
> some other option would be nice.

Maybe recompile Fedoras 'gnome-web-photo" package?
http://vertito.blogspot.com/2008/02/howto-thumbnail-website-from-linux.html


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum warning...

[Ljubomir Ljubojevic]

On 01/05/2012 04:01 PM, Marko Vojinovic wrote:
> On Thursday 05 January 2012 06:17:17 John Doe wrote:
>> How come a simple update of a a single package from CentOS update
>> would "alter RPMDB outside of yum"...?
>
> The warning is generated by yum, saying that its own database of installed
> packages does not match the rpm database. This basically means that sometime
> back you have used rpm directly to install/remove some package, circumventing
> yum. You are not supposed to install rpm packages behind yum's back. :-)
>
> The warning has nothing to do with the vsftpd package which is being updated
> in this instance. It's rather yum performing the database check when the
> transaction starts.
>

This can be avoided using "yum localinstall " from the 
location where that package is, instead of "rpm -ivh ".

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux context for mm-handler?

[Paul Heinlein]

On Thu, 5 Jan 2012, Daniel J Walsh wrote:

> On 01/04/2012 05:37 PM, Paul Heinlein wrote:
>> I've got a Mailman installation running on CentOS 4 that I'd like
>> to migrate to a CentOS 6 box.
>>
>> My big obstacle at present is getting Mailman's mm-handler Perl
>> script to run as a Sendmail local mailer with SELinux enabled.
>>
>> I've tried changing mm-handler's selinux context type a few times,
>> but nothing has resulted in success []
>
> Set it back to its default label and then tell me what AVC messages
> you are seeing?

The rpm-supplied file is installed with the documentation, not with 
the binaries:

   /usr/share/doc/mailman-2.1.12/contrib/mm-handler

Its default type is usr_t. If I reset it to that, sendmail can't 
execute it:

type=AVC
msg=audit(1325785833.463:64862): avc:  denied  { execute } for
pid=X
comm="sendmail"
name="mm-handler"
dev=XXX
ino=XX
scontext=unconfined_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:usr_t:s0
tclass=file

I appreciate you looking at this, Dan.

-- 
Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] EXTERNAL: Re: turning off udev for eth0

[Les Mikesell]

On Thu, Jan 5, 2012 at 7:58 AM, Massey, Ricky  wrote:
> We use the following from a kickstart script using the PCI bus location for 
> the NICs:
>
> echo "ID==\":04:04.0\", NAME=\"eth0\"" >> 
> /etc/udev/rules.d/70-netrename.rules
> echo "ID==\":05:00.0\", NAME=\"eth0\"" >> 
> /etc/udev/rules.d/70-netrename.rules
> echo "ID==\":05:01.0\", NAME=\"eth0\"" >> 
> /etc/udev/rules.d/70-netrename.rules
>

That looks like what I need, but I don't understand it.  Is there any
documentation for how that stuff works, or can you elaborate?  And if
you do that, can you remove the HWADDR entries from the ifcfg-eth?
files and have them stick to the right devices?

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux context for mm-handler?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2012 12:57 PM, Paul Heinlein wrote:
> On Thu, 5 Jan 2012, Daniel J Walsh wrote:
> 
>> On 01/04/2012 05:37 PM, Paul Heinlein wrote:
>>> I've got a Mailman installation running on CentOS 4 that I'd
>>> like to migrate to a CentOS 6 box.
>>> 
>>> My big obstacle at present is getting Mailman's mm-handler
>>> Perl script to run as a Sendmail local mailer with SELinux
>>> enabled.
>>> 
>>> I've tried changing mm-handler's selinux context type a few
>>> times, but nothing has resulted in success []
>> 
>> Set it back to its default label and then tell me what AVC
>> messages you are seeing?
> 
> The rpm-supplied file is installed with the documentation, not with
> the binaries:
> 
> /usr/share/doc/mailman-2.1.12/contrib/mm-handler
> 
> Its default type is usr_t. If I reset it to that, sendmail can't
> execute it:
> 
> type=AVC msg=audit(1325785833.463:64862): avc:  denied  { execute }
> for pid=X comm="sendmail" name="mm-handler" dev=XXX 
> ino=XX scontext=unconfined_u:system_r:sendmail_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> 
> I appreciate you looking at this, Dan.
> 
Ok then bin_t would be the label I would try, which would execute the
command as sendmail_t.  Or you could label it mailman_mail_exec_t.
Those would be the only ones I would try.

sendmail_t will transition to mailman_mail_t when it executes
mailman_mail_exec_t.


sesearch -T -s sendmail_t | grep mailman
   type_transition sendmail_t mailman_mail_exec_t : process
mailman_mail_t;

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8F6+EACgkQrlYvE4MpobP8NQCeNT06b09LP/Y4Dvb3vY+BaxKR
fm8AnRMMAoRjME74thgal3o1/dro+8HT
=n1+s
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux context for mm-handler?

[Paul Heinlein]

On Thu, 5 Jan 2012, Daniel J Walsh wrote:

 My big obstacle at present is getting Mailman's mm-handler Perl 
 script to run as a Sendmail local mailer with SELinux enabled.

 I've tried changing mm-handler's selinux context type a few 
 times, but nothing has resulted in success []
>>>
>>> Set it back to its default label and then tell me what AVC 
>>> messages you are seeing?
>>
>> The rpm-supplied file is installed with the documentation, not with 
>> the binaries:
>>
>> /usr/share/doc/mailman-2.1.12/contrib/mm-handler
>>
>> Its default type is usr_t. If I reset it to that, sendmail can't
>> execute it:
>>
>> type=AVC msg=audit(1325785833.463:64862): avc:  denied  { execute }
>> for pid=X comm="sendmail" name="mm-handler" dev=XXX
>> ino=XX scontext=unconfined_u:system_r:sendmail_t:s0
>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>>
>> I appreciate you looking at this, Dan.
>>
> Ok then bin_t would be the label I would try, which would execute the
> command as sendmail_t.  Or you could label it mailman_mail_exec_t.
> Those would be the only ones I would try.

With a bin_t context, mm-handler can't read mailman data:

type=AVC
msg=audit(1325788342.593:64979): avc:  denied  { getattr } for
pid=
comm="mm-handler"
path="/var/lib/mailman/lists/listtest/config.pck"
dev=
ino=
scontext=unconfined_u:system_r:sendmail_t:s0 
tcontext=system_u:object_r:mailman_data_t:s0
tclass=file

With a mailman_mail_exec_t context, mm-handler can't open its Perl 
libraries:

type=AVC
msg=audit(1325788608.288:64986): avc:  denied  { getattr } for
pid=
comm="mm-handler"
path="/usr/share/perl5/FileHandle.pm"
dev=
ino=
scontext=unconfined_u:system_r:mailman_mail_t:s0
tcontext=system_u:object_r:usr_t:s0
tclass=file

I suspect at this point that I'll have to write a local exception 
policy. Which is the lesser of the two evils:

   * let mailman_mail_t access usr_t files, or
   * let sendmail_t access mailman_data_t files?

I'm leaning toward the latter.

-- 
Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Lamar Owen]

On Wednesday, January 04, 2012 08:47:47 PM Bennett Haselton wrote:
> Well yes, on average, password-authentication is going to be worse 
> because it includes people in the sample who are using passwords like 
> "Patricia".  Did they compare the break-in rate for systems with 12-char 
> passwords vs. systems with keys?

And this is where the rubber meets the road.  Keys are uniformly secure (as 
long as physical access to the private key isn't available to the attacker), 
passwords are not.

It is a best practice to not run password auth on a public facing server 
running ssh on port 22.  Simple as that.  Since this is such a basic best 
practice, it will get mentioned anytime anyone mentions using a password to log 
in remotely over ssh as root; the other concerns and possible exploits are more 
advanced than this. 

Addressing that portion of this thread, it's been my experience that once an 
attacker gains root on your server you have a very difficult job on your hands 
determining how they got in; specialized forensics tools that analyze more than 
just logs can be required to adequately find this; that is, this is a job for a 
forensics specialist.  

Now, anyone (yes, anyone) can become a forensics specialist, and I encourage 
every admin to at least know enough about forensics to at least be able to take 
a forensics-quality image of a disk and do some simple forensics-quality 
read-only analysis (simply mounting, even as read-only, an ext3/4 filesystem 
breaks full forensics, for instance).  But when it comes to analyzing today's 
advanced persistent threats and breakins related to them, you should at least 
read after experts in this field like Mandiant's Kevin Mandia (there's a 
slashdot story about him and exactly this sort of thing; see 
http://it.slashdot.org/story/12/01/04/0630203/cleaning-up-the-mess-after-a-major-hack-attack
 for details).  He's a nice guy, too.

I would suspect that no one on this list would be able or willing to provide a 
full analysis on-list, perhaps privately, though, and/or for a fee.

In conclusion, as I am done with this branch of this thread, I'd recommend you 
read 
http://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Ljubomir Ljubojevic]

On 01/05/2012 07:56 PM, Lamar Owen wrote:
> On Wednesday, January 04, 2012 08:47:47 PM Bennett Haselton wrote:
>> Well yes, on average, password-authentication is going to be worse
>> because it includes people in the sample who are using passwords like
>> "Patricia".  Did they compare the break-in rate for systems with 12-char
>> passwords vs. systems with keys?
>
> And this is where the rubber meets the road.  Keys are uniformly secure (as 
> long as physical access to the private key isn't available to the attacker), 
> passwords are not.
>
> It is a best practice to not run password auth on a public facing server 
> running ssh on port 22.  Simple as that.  Since this is such a basic best 
> practice, it will get mentioned anytime anyone mentions using a password to 
> log in remotely over ssh as root; the other concerns and possible exploits 
> are more advanced than this.
>
> Addressing that portion of this thread, it's been my experience that once an 
> attacker gains root on your server you have a very difficult job on your 
> hands determining how they got in; specialized forensics tools that analyze 
> more than just logs can be required to adequately find this; that is, this is 
> a job for a forensics specialist.
>
> Now, anyone (yes, anyone) can become a forensics specialist, and I encourage 
> every admin to at least know enough about forensics to at least be able to 
> take a forensics-quality image of a disk and do some simple forensics-quality 
> read-only analysis (simply mounting, even as read-only, an ext3/4 filesystem 
> breaks full forensics, for instance).  But when it comes to analyzing today's 
> advanced persistent threats and breakins related to them, you should at least 
> read after experts in this field like Mandiant's Kevin Mandia (there's a 
> slashdot story about him and exactly this sort of thing; see 
> http://it.slashdot.org/story/12/01/04/0630203/cleaning-up-the-mess-after-a-major-hack-attack
>  for details).  He's a nice guy, too.
>
> I would suspect that no one on this list would be able or willing to provide 
> a full analysis on-list, perhaps privately, though, and/or for a fee.
>
> In conclusion, as I am done with this branch of this thread, I'd recommend 
> you read 
> http://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

What is sentiment about having dedicated box with only ssh, and then use 
that one to raise ssh tunnels to inside systems? So there is no exploits 
to be used, denyhosts in affect?

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] c6, LSI megaraid drive failure notification

[John R Pierce]

On 01/05/12 7:14 AM, Craig White wrote:
>> not having much  luck locating that megaclisas-status script
>> >  
>> >  http://hwraid.le-vert.net/wiki/LSIMegaRAIDSAS  talks about it, but the
>> >  source is nowhere to be found
> 
> It seems to me that the megaclisas-statusd is basically 2 script files, 1 in 
> /usr/sbin and the other a sysv initscript and should be easily modifiable to 
> run on CentOS instead of Debian/Ubuntu with the requirement that you would 
> need to have megacli installed/running. I agree that I couldn't find any 
> rpm's of the same.

indeed it does.   but I can't find those two scripts at the above site 
or elsewhere.   I don't have any debian, and don't really want to have 
to install it.

I spent about 2 hours with the code from 
http://windowsmasher.wordpress.com/2011/08/15/using-megacli-to-monitor-openfiler-rev2/
  
but its badly broken, the blog seems to have trashed pythons 
indentation, and while I fixed enough to get it working, its not working 
right as its not listing any of the LD or PD's.



-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Lamar Owen]

On Thursday, January 05, 2012 02:25:50 PM Ljubomir Ljubojevic wrote:
> What is sentiment about having dedicated box with only ssh, and then use 
> that one to raise ssh tunnels to inside systems? So there is no exploits 
> to be used, denyhosts in affect?

Without being too specific, I already do this sort of thing, but with two 
'bastion' hosts in a failover/load-balanced scenario on physical server 
hardware.

I use a combination of firewalling to keep incoming on port 22 out of the other 
hosts, using nat rules, cisco incoming and outgoing acls on the multiple 
routers between the servers and the 'outside' world, iptables, and other means. 
 In particular, Cisco's NAT 'extendable' feature enables interesting layer 4 
switching possibilities.

I'm not going to say that it's perfectly secure and won't ever allow a 
penetration, but it seems to be doing a pretty good job at the moment.

Improvements I could make would include:
1.) Boot and run the bastion hosts from customized LiveCD or LiveDVD on real 
DVD-ROM read-only drives with no persistent storage (updating the LiveCD/DVD 
image periodically with updates and with additional authentication users/data 
as needed; DVD+RW works very well for this as long as the boot drive is a 
DVD-ROM and not an RW drive!);
2.) Scheduled rolling reboots of the bastion hosts using a physical power timer 
(rebooting each machine at a separate time once every 24 hours during hours 
remote use wouldn't happen (best time is during local lunchtime, actually); the 
boxes are set to power on automatically upon power restoration after loss);
3.) Port knocking and similar techniques for the bastion hosts in addition to 
the layered ssh solution in place (I'm using NX, which logins in as the nx user 
via keys first, then authenticates the user, either with keys or with a 
password);
4.) Packetfence or similar snort IDS box sitting on the ethernet VLANs of these 
boxes with custom rules designed to detect intrusions in progress and 
dynamically add acls to the border routers upon detection (this one will take a 
while);

I'm still thinking of unusual ways of securing; I've looked at tarpits and 
honeypots, too, and have really enjoyed some of the more arcane advice I've 
seen on this list in the past.  I still want the device used to remotely fry 
the computer in the movie 'Electric Dreams' personally. :-)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] was, Re: an actual hacked machine, in a preserved state, is securing a box

[m . roth]

Lamar Owen wrote:

> I'm still thinking of unusual ways of securing; I've looked at tarpits and
> honeypots, too, and have really enjoyed some of the more arcane advice
> I've seen on this list in the past.  I still want the device used to
> remotely fry the computer in the movie 'Electric Dreams' personally.
> :-)

Wimp. Never read Neuromancer? Don't want black ICE?

   mark, hoping for a neural interface without a jack behind
   the ear

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux context for mm-handler?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2012 01:47 PM, Paul Heinlein wrote:
> On Thu, 5 Jan 2012, Daniel J Walsh wrote:
> 
> My big obstacle at present is getting Mailman's mm-handler
> Perl script to run as a Sendmail local mailer with SELinux
> enabled.
> 
> I've tried changing mm-handler's selinux context type a few
> times, but nothing has resulted in success []
 
 Set it back to its default label and then tell me what AVC
 messages you are seeing?
>>> 
>>> The rpm-supplied file is installed with the documentation, not
>>> with the binaries:
>>> 
>>> /usr/share/doc/mailman-2.1.12/contrib/mm-handler
>>> 
>>> Its default type is usr_t. If I reset it to that, sendmail
>>> can't execute it:
>>> 
>>> type=AVC msg=audit(1325785833.463:64862): avc:  denied  {
>>> execute } for pid=X comm="sendmail" name="mm-handler"
>>> dev=XXX ino=XX
>>> scontext=unconfined_u:system_r:sendmail_t:s0 
>>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>>> 
>>> I appreciate you looking at this, Dan.
>>> 
>> Ok then bin_t would be the label I would try, which would execute
>> the command as sendmail_t.  Or you could label it
>> mailman_mail_exec_t. Those would be the only ones I would try.
> 
> With a bin_t context, mm-handler can't read mailman data:
> 
> type=AVC msg=audit(1325788342.593:64979): avc:  denied  { getattr }
> for pid= comm="mm-handler" 
> path="/var/lib/mailman/lists/listtest/config.pck" dev= 
> ino= scontext=unconfined_u:system_r:sendmail_t:s0 
> tcontext=system_u:object_r:mailman_data_t:s0 tclass=file
> 
> With a mailman_mail_exec_t context, mm-handler can't open its Perl 
> libraries:
> 
> type=AVC msg=audit(1325788608.288:64986): avc:  denied  { getattr }
> for pid= comm="mm-handler" 
> path="/usr/share/perl5/FileHandle.pm" dev= ino= 
> scontext=unconfined_u:system_r:mailman_mail_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> 
> I suspect at this point that I'll have to write a local exception 
> policy. Which is the lesser of the two evils:
> 
> * let mailman_mail_t access usr_t files, or * let sendmail_t access
> mailman_data_t files?
> 
> I'm leaning toward the latter.
> 

Yes I agree, mailman_mail_t is better, and latest fedora policy has
files_read_usr_files(mailman_mail_t).

I will get it back ported into RHEL6.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8GBGgACgkQrlYvE4MpobMkMQCfRQzKhN2I+wVhwnETLKT2Z70Q
sU0AoNflG7TeynX0uXwQtRTOKaeX0GcD
=5eg5
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Corrupt mbr and disk directory map

[Billy Davis]

On 1/5/2012 11:20 AM, m.r...@5-cent.us wrote:
> Billy Davis wrote:
>> We are running Centos 5.6.  All was fine until yesterday.  I attempted
>> to tar a 14KB work file to a USB floppy  (/dev/sdb) for transport to
>> another server.  Unfortunately, I keyed in 'tar cvf /dev/sda filename'
>> instead of 'tar cvf /dev/sdb filename'.   /dev/sda is our main
>> (boot/root/apps) scsi hard drive.   I realized my mistake, but it was
>> too late.  The system is still powered up and running, but I am sure
>> that I have overlaid (and trashed) the mbr and the disk directory map.
> 
>> I suspect that when I power the system down, it will not reboot.  I can
> You have that right.
>
>> reinstall mbr and grub, but I don't have the original partition table
>> start/end values.  Since the system is still running, it seems that the
>> partition table must still be available to it from somewhere.
>>
>> Is there any way to easily restore the partition table?
> Easily? No (other than the grub-install /dev/sda part).
>
> Sorry about your problem, but I appreciate the question: it led me to
> , a fair bit
> of which was quite familiar, and other bits weren't. For example, cat
> /proc/partitions might give you a serious bit of the information you're
> looking for.
>
> Hope that helps.
>
> mark
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
Thanks Mark.  The cat command provided the lost partition information.  
I used that information with fdisk to restore the partition map.  The 
fdisk partition map is now identical to the cat partition information.

Next, I reinstalled grub.  All seems normal now, at least until I 
shutdown and reboot.  I'll wait until the weekend to do that, just in 
case I still have to do a disk restore for some reason.

Thanks again for your input.
Billy
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Ljubomir Ljubojevic]

On 01/05/2012 08:58 PM, Lamar Owen wrote:
> 1.) Boot and run the bastion hosts from customized LiveCD or LiveDVD on real 
> DVD-ROM read-only drives with no persistent storage (updating the LiveCD/DVD 
> image periodically with updates and with additional authentication users/data 
> as needed; DVD+RW works very well for this as long as the boot drive is a 
> DVD-ROM and not an RW drive!);

How about using Stateless CentOS system with:
http://plone.lucidsolutions.co.nz/linux/io/using-centos-5.2-stateless-linux-support-on-a-flash-based-root-filesystem#section-13,
then mounting KVM guests system as read-only, shutting it down and then 
setting KVM guests virtual drive file as read-only for KVM. That ways 
change of read-only to write would have no effect on the HDD/image.

But I do not know if this is possible from KVM "read-only" point of view.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Corrupt mbr and disk directory map

[m . roth]

Billy Davis wrote:
> On 1/5/2012 11:20 AM, m.r...@5-cent.us wrote:
>> Billy Davis wrote:
>>> We are running Centos 5.6.  All was fine until yesterday.  I attempted
>>> to tar a 14KB work file to a USB floppy  (/dev/sdb) for transport to
>>> another server.  Unfortunately, I keyed in 'tar cvf /dev/sda filename'
>>> instead of 'tar cvf /dev/sdb filename'.   /dev/sda is our main

>> Sorry about your problem, but I appreciate the question: it led me to
>> , a fair
>> bit of which was quite familiar, and other bits weren't. For example, cat
>> /proc/partitions might give you a serious bit of the information you're
>> looking for.
>>
> Thanks Mark.  The cat command provided the lost partition information.
> I used that information with fdisk to restore the partition map.  The
> fdisk partition map is now identical to the cat partition information.

Good deal!
>
> Next, I reinstalled grub.  All seems normal now, at least until I
> shutdown and reboot.  I'll wait until the weekend to do that, just in
> case I still have to do a disk restore for some reason.

Best of luck, and let us know how things turn out.

If things go south, there *are* tools that will let you scan a raw disk,
and you could look for the superblock or the first dup, then calculate
where the fs & partition should start, but that would be *real* work.
>
> Thanks again for your input.

As I said, hope it works.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sa-update error with perl

[email builder]

>>  Hmm, OK, prioritze CentOS repo over RepoForge then will yum update

>>  figure out the rest?  I don't see any priority settings in my yum conf 
>>  files...
> 
> # yum list | grep priorities
> yum-priorities.noarch  1.1.16-16.el5.centos    
> installed
> 
> # cat /etc/yum/pluginconf.d/priorities.conf 
> [main]
> enabled = 1
> check_obsoletes=1
> 
> Then add "priority=n" to the repos sections.
> n=1 for CentOS
> n=2 for repo 2
> etc...

Ah, it's a separate package.  OK thanks for the info!

But before I try that, I'm wondering, shouldn't it be easy
from the error message to simply understand what package
is creating the problem?

It turns out it's not sa-update specifically doing this, but the
restart of spamassassin itself:

/etc/init.d/spamassassin condrestart

Stopping spamd: [  OK  ]
Starting spamd: Subroutine Net::DNS::Resolver::Base::AF_INET6 redefined at 
/usr/lib/perl5/5.8.8/Exporter.pm line 65.
 at 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/Net/DNS/Resolver/Base.pm
 line 66
[  OK  ]

I've ensured that my spamassassin, perl-Net-DNS and
per-IO-Socket-INET6 packages are all from the CentOS
repo, so is it just a crap shoot to find what is causing
this?  I'd expect the error message to be more helpful
than that...

Recap on my versions:

perl-IO-Socket-INET6-2.51-2.fc6
perl-Net-DNS-0.59-3.el5
spamassassin-3.3.1-2.el5
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] c6, LSI megaraid drive failure notification

[Craig White]

sent to you via PM - hope you don't mind.

Craig

On Jan 5, 2012, at 12:53 PM, John R Pierce wrote:

> On 01/05/12 7:14 AM, Craig White wrote:
>>> not having much  luck locating that megaclisas-status script
 
 http://hwraid.le-vert.net/wiki/LSIMegaRAIDSAS  talks about it, but the
 source is nowhere to be found
>> 
>> It seems to me that the megaclisas-statusd is basically 2 script files, 1 in 
>> /usr/sbin and the other a sysv initscript and should be easily modifiable to 
>> run on CentOS instead of Debian/Ubuntu with the requirement that you would 
>> need to have megacli installed/running. I agree that I couldn't find any 
>> rpm's of the same.
> 
> indeed it does.   but I can't find those two scripts at the above site 
> or elsewhere.   I don't have any debian, and don't really want to have 
> to install it.
> 
> I spent about 2 hours with the code from 
> http://windowsmasher.wordpress.com/2011/08/15/using-megacli-to-monitor-openfiler-rev2/
>   
> but its badly broken, the blog seems to have trashed pythons 
> indentation, and while I fixed enough to get it working, its not working 
> right as its not listing any of the LD or PD's.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Bennett Haselton]

On 1/5/2012 6:53 AM, Johnny Hughes wrote:
> On 01/04/2012 07:47 PM, Bennett Haselton wrote:
>> On 1/4/2012 1:59 PM, Lamar Owen wrote:
>>> [Distilling to the core matter; everything else is peripheral.]
>>>
>>> On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote:
 To be absolutely clear: Do you, personally, believe there is more than a
 1 in a million chance that the attacker who got into my machine, got it
 by brute-forcing the password?  As opposed to, say, using an underground
 exploit?
>>> Here's how I see it breaking down:
>>>
>>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>>> your /etc/shadow file (not a remote shell, just GET the file without
>>> that fact being logged);
>>> 2.) Attacker runs cloud-based (and/or CUDA accelerated) brute-forcer
>>> on 10,000,000 machines against your /etc/shadow file without your
>>> knowledge;
>>> 3.) Some time passes;
>>> 4.) Attacker obtains your password using distributed brute forcing of
>>> the hash in the window of time prior to you resetting it;
>>> 5.) Attacker logs in since you allow password login.  You're pwned by
>>> a non-login brute-force attack.
>>>
>>> In contrast, with ssh keys and no password logins allowed:
>>>
>>> 1.) Attacker obtains /etc/shadow and cracks your password after some
>>> time;
>>> 2.) Attacker additionally obtains /root/.ssh/*
>>> 3.) Attacker now has your public key.  Good for them; public keys
>>> don't have to be kept secure since it is vastly more difficult to
>>> reverse known plaintext, known ciphertext, and the public key into a
>>> working private key than it is to brute-force the /etc/shadow hash
>>> (part of the difficulty is getting all three required components to
>>> successfully reverse your private key; the other part boils down to
>>> factoring and hash brute-forcing);
>>> 4.) Attacker also has root's public and private keys, if there is a
>>> pair in root's ~/.ssh, which may or may not help them.  If there's a
>>> passphrase on the private key, it's quite difficult to obtain that
>>> from the key;
>>> 5.) Attacker can't leverage either your public key or root's key pair
>>> (or the machine key; even if they can leverage that to do MitM (which
>>> they can and likely will) that doesn't help them obtain your private
>>> key for authentication;
>>> 6.) Attacker still can't get in because you don't allow password
>>> login, even though attacker has root's password.
>>>
>>> This only requires an apache httpd exploit that allows reading of any
>>> file; no files have to be modified and no shells have to be acquired
>>> through any exploits.  Those make it faster, for sure; but even then
>>> the attacker is going to acquire your /etc/shadow as one of the first
>>> things they do; the next thing they're going to do is install a
>>> rootkit with a backdoor password.
>>>
>>> Brute-forcing by hash-cracking, not by attempting to login over ssh,
>>> is what I'm talking about.
>> I acknowledged that the first time I replied to someone's post saying a
>> 12-char password wasn't secure enough.  I hypothesized an attacker with
>> the fastest GPU-driven password cracker in the world (even allowing for
>> 100-factor improvements in coming years) and it would still take
>> centuries to break.  I understand about brute-forcing the hash vs.
>> brute-forcing the login, but some others had posted about brute-forcing
>> the login specifically and I was commenting on how ridiculous that was.
>>
>>> This is what I mean when I say 'multilayer metasploit-driven attacks.'
>>>
>>> The weakest link is the security of /etc/shadow on the server for
>>> password auth (unless you use a different auth method on your server,
>>> like LDAP or other, but that just adds a layer, making the attacker
>>> work harder to get that all-import password).  Key based auth is
>>> superior, since the attacker reading any file on your server cannot
>>> compromise the security.
>>>
>>> Kerberos is better still.
>>>
>>> Now, the weakest link for key auth is the private key itself.  But
>>> it's better protected than any password is (if someone can swipe your
>>> private key off of your workstation you have bigger problems, and they
>>> will have your /etc/shadow for your workstation, and probably a
>>> backdoor.).  The passphrase is also better protected than the
>>> typical MD5 hash password, too.
>>>
>>> It is the consensus of the security community that key-based
>>> authentication with strong private key passphrases is better than any
>>> password-only authentication, and that consensus is based on facts
>>> derived from evidence of actual break-ins.
>> Well yes, on average, password-authentication is going to be worse
>> because it includes people in the sample who are using passwords like
>> "Patricia".  Did they compare the break-in rate for systems with 12-char
>> passwords vs. systems with keys?
>>
>> I have nothing in particular against ssh keys - how could anybody be
>> "against ssh keys"? :)  My point was that when I

Re: [CentOS] Corrupt mbr and disk directory map

[Denniston, Todd A CIV NAVSURFWARCENDIV Crane]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of m.r...@5-cent.us
> Sent: Thursday, January 05, 2012 15:33
> To: CentOS mailing list
> Subject: Re: [CentOS] Corrupt mbr and disk directory map
> 
> Billy Davis wrote:
> > On 1/5/2012 11:20 AM, m.r...@5-cent.us wrote:
> >> Billy Davis wrote:
> >>> We are running Centos 5.6.  All was fine until yesterday.  I
> attempted
> >>> to tar a 14KB work file to a USB floppy  (/dev/sdb) for transport
> to
> >>> another server.  Unfortunately, I keyed in 'tar cvf /dev/sda
> filename'
> >>> instead of 'tar cvf /dev/sdb filename'.   /dev/sda is our main
> 

> >
> > Next, I reinstalled grub.  All seems normal now, at least until I
> > shutdown and reboot.  I'll wait until the weekend to do that, just
in
> > case I still have to do a disk restore for some reason.
> 
> Best of luck, and let us know how things turn out.
> 
> If things go south, there *are* tools that will let you scan a raw
> disk,
> and you could look for the superblock or the first dup, then calculate
> where the fs & partition should start, but that would be *real* work.

The OP might want to look at the archives of this list for the somewhat
recent "data recovery" thread before rebooting.
I thought Lamar Owen's 9/23/2011 15:35 post was particularly good,
because it mentioned some of the tools and processes.

And as Mark said... I hope it works.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] c6, LSI megaraid drive failure notification

[John R Pierce]

On 01/05/12 12:42 PM, Craig White wrote:
> sent to you via PM - hope you don't mind.
>
>

thanks, got it.


-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] c6, LSI megaraid drive failure notification

[Craig White]

On Jan 5, 2012, at 2:02 PM, John R Pierce wrote:

> On 01/05/12 12:42 PM, Craig White wrote:
>> sent to you via PM - hope you don't mind.
>> 
>> 
> 
> thanks, got it.

I probably should have figured out a way to send you just a tarball but there 
really wasn't much else and certainly nothing of significance. This was the 
full manifest...

# dpkg -L megaclisas-status
/.
/etc
/etc/init.d
/etc/init.d/megaclisas-statusd
/usr
/usr/sbin
/usr/sbin/megaclisas-status
/usr/share
/usr/share/doc
/usr/share/doc/megaclisas-status
/usr/share/doc/megaclisas-status/README.Debian
/usr/share/doc/megaclisas-status/changelog.gz
/usr/share/doc/megaclisas-status/copyright

If there's anything else you want from this, let me know.

Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] EXTERNAL: Re: turning off udev for eth0

[Massey, Ricky]

There are actually three Ethernet ports (eth0, eth1, and eth2).  We use this 
method to kickstart many servers with the same configuration.  The HWADDR is 
removed from the ifcfg-ethx files.  Udev will process the files in the rules.d 
directory in order. The closest link I have found is 
http://sicherheitsschwankung.de/post/jan/2005-10-13/renaming-network-devices-udev.
  Also, I should point out we are using CentOS 5.5.

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of 
Les Mikesell
Sent: Thursday, January 05, 2012 12:58 PM
To: CentOS mailing list
Subject: Re: [CentOS] EXTERNAL: Re: turning off udev for eth0

On Thu, Jan 5, 2012 at 7:58 AM, Massey, Ricky  wrote:
> We use the following from a kickstart script using the PCI bus location for 
> the NICs:
>
> echo "ID==\":04:04.0\", NAME=\"eth0\"" >> 
> /etc/udev/rules.d/70-netrename.rules
> echo "ID==\":05:00.0\", NAME=\"eth1\"" >> 
> /etc/udev/rules.d/70-netrename.rules
> echo "ID==\":05:01.0\", NAME=\"eth2\"" >> 
> /etc/udev/rules.d/70-netrename.rules
>

That looks like what I need, but I don't understand it.  Is there any
documentation for how that stuff works, or can you elaborate?  And if
you do that, can you remove the HWADDR entries from the ifcfg-eth?
files and have them stick to the right devices?

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] c6, LSI megaraid drive failure notification

[John R Pierce]

On 01/05/12 1:09 PM, Craig White wrote:
> I probably should have figured out a way to send you just a tarball but there 
> really wasn't much else and certainly nothing of significance.

sigh, its doing the same thing as the code I 'fixed' from that blog I 
posted earlier...

# ./megaclisas-status
-- Controller informations --
-- ID | Model
c0 | LSI MegaRAID SAS 9261-8i

-- Arrays informations --
-- ID | Type | Size | Status | InProgress

-- Disks informations
-- ID | Model | Status


(I have 1 array and 36 disks on this controller)
so the output format from MegaCli has probably changed just enough to 
throw it off, so I need to refactor it.  meh.

I can't believe noone is running a late model MegaRAID SAS card with 
Linux and doesn't require error status change notifications.



-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux and access across 'similar types'

[Bennett Haselton]

http://wiki.centos.org/HowTos/SELinux
says:
"Access is only allowed between similar types, so Apache running as 
httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."

however the doc doesn't define what "similar types" means.  I assumed it 
just meant "beginning with the same prefix".  However that can't be 
right because on my system with SELinux turned on, httpd runs as type 
init_t:

[root@peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
system_u:system_r:init_t:s0 root  2521  0.1  0.4  21680  8820 
?Ss   05:05   0:00 /usr/sbin/httpd
system_u:system_r:init_t:s0 apache2550  0.0  0.4  23364  8920 
?S05:05   0:00 /usr/sbin/httpd
system_u:system_r:init_t:s0 apache2551  0.1  0.4  22736  8212 
?S05:05   0:00 /usr/sbin/httpd

and the robots.txt file has type file_t:
[root@peacefire04 - /root # ls -lZ /var/www/html/robots.txt
-rw-rw-rw-  root root system_u:object_r:file_t:s0  
/var/www/html/robots.txt

but Apache can of course access that file.  So in Type Enforcement, what 
determines what process type can access what file type?

Bennett
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux and access across 'similar types'

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2012 04:36 PM, Bennett Haselton wrote:
> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
> between similar types, so Apache running as httpd_t can read
> /var/www/html/index.html of type httpd_sys_content_t."
> 
> however the doc doesn't define what "similar types" means.  I
> assumed it just meant "beginning with the same prefix".  However
> that can't be right because on my system with SELinux turned on,
> httpd runs as type init_t:
> 
> [root@peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 
> system_u:system_r:init_t:s0 root  2521  0.1  0.4  21680
> 8820 ?Ss   05:05   0:00 /usr/sbin/httpd 
> system_u:system_r:init_t:s0 apache2550  0.0  0.4  23364
> 8920 ?S05:05   0:00 /usr/sbin/httpd 
> system_u:system_r:init_t:s0 apache2551  0.1  0.4  22736
> 8212 ?S05:05   0:00 /usr/sbin/httpd
> 
> and the robots.txt file has type file_t: [root@peacefire04 - /root
> # ls -lZ /var/www/html/robots.txt -rw-rw-rw-  root root
> system_u:object_r:file_t:s0 /var/www/html/robots.txt
> 
> but Apache can of course access that file.  So in Type Enforcement,
> what determines what process type can access what file type?
> 
> Bennett ___ CentOS
> mailing list CentOS@centos.org 
> http://lists.centos.org/mailman/listinfo/centos


Your machine needs to be relabeled.

touch /.autorelabel
reboot

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
lFkAnjLTi3zphekGomv04ZyMu0sOuopg
=cIvM
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Serial port driver on CentOS 6

[Alfred von Campe]

I installed CentOS 6 on a Dell Optiplex 790 with a StarTech.com dual serial
port card, and the serial ports aren't being recognized.  According to dmesg,
only the built-in serial port is being recognized:

# dmesg | fgrep ttyS
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

And lspci -v doesn't show that any drivers are loaded for it:

# lspci -v
[snip]
03:00.0 Serial controller: NetMos Technology PCIe 9922 Multi-I/O Controller 
(prog-if 02 [16550])
Subsystem: Device a000:1000
Flags: fast devsel, IRQ 16
I/O ports at 2010 [size=8]
Memory at e1a3 (32-bit, non-prefetchable) [size=4K]
Memory at e1a2 (32-bit, non-prefetchable) [size=4K]
Capabilities: [50] MSI: Enable- Count=1/8 Maskable- 64bit+
Capabilities: [78] Power Management version 3
Capabilities: [80] Express Legacy Endpoint, MSI 00
Capabilities: [100] Virtual Channel 
Capabilities: [800] Advanced Error Reporting

03:00.1 Serial controller: NetMos Technology PCIe 9922 Multi-I/O Controller 
(prog-if 02 [16550])
Subsystem: Device a000:1000
Flags: fast devsel, IRQ 17
I/O ports at 2000 [size=8]
Memory at e1a1 (32-bit, non-prefetchable) [size=4K]
Memory at e1a0 (32-bit, non-prefetchable) [size=4K]
Capabilities: [50] MSI: Enable- Count=1/8 Maskable- 64bit+
Capabilities: [78] Power Management version 3
Capabilities: [80] Express Legacy Endpoint, MSI 00
Capabilities: [100] Advanced Error Reporting

What do I need to do to get these serial ports recognized?  On some other
CentOS 6 systems with StarTech.com serial cards they were automatically
recognized (different hardware and not PCIe based).

Thanks,
Alfred

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

[Pasi Kärkkäinen]

On Wed, Jan 04, 2012 at 09:53:16AM -0600, Johnny Hughes wrote:
> On 01/04/2012 04:29 AM, Christopher J. Buckley wrote:
> > 2012/1/4 An Yang 
> >
> >> Somebody in Oracle told me, they need one year to test, I'm not sure,
> >> it's true or not.
> >>
> > That's about right. The testing isn't done by Oracle btw, it's done by the
> > end vendor.
> >
> >
> The "end vendor" submitted the information to Oracle months ago:
> 
> http://www.redhat.com/about/news/blog/Red-Hat-Submits-Oracle-11gR2-on-Red-Hat-Enterprise-Linux-6-Certification-Test-Results-to-Oracle
> 
> Oracle does not want to support ASMLib on any kernel other than OEL (or
> UBL if you prefer):
> 
> https://www.redhat.com/archives/rhelv6-list/2011-December/msg00032.html
> 
> The bottom line is that Oracle IS going to try to drive people to their
> version of Linux and off RHEL.
> 
> But I know, I am just be paranoid or some other such thing.  Right
> Christopher?
> 

http://en.community.dell.com/techcenter/b/techcenter/archive/2012/01/03/dell-engineering-preview-oracle-11gr2-rac-on-rhel6.aspx
http://en.community.dell.com/techcenter/enterprise-solutions/w/oracle_solutions/3336.aspx


-- Pasi

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] swap labeling annoyance

[m . roth]

I just upgraded a blade server via rsync from another server. Rebuilt the
initrd. It boots fine... except that it won't turn on the swap partition.
Several times, I've made sure swap was off, then mkswap -L SWAP-sda3
/dev/sda3, but when I do swapon -L SWAP-sda3, it complains it can't find
the device for the label.

The only thing I find while googling, other than redoing what I've done
several times now, is an old bug from CentOS 4, 0001399, which affected
*only* blade enclosures: the reporter says that all of his IBM blades were
affected (this isn't an IBM). His workaround was to make an ext2 fs, label
it, and turn that into swap.

Has anyone seen this recently, with 6.2?

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Serial port driver on CentOS 6

[John R Pierce]

On 01/05/12 2:10 PM, Alfred von Campe wrote:
> What do I need to do to get these serial ports recognized?

random googling from that serial controller name

NetMos Technology PCIe 9922 Multi-I/O Controller

seems to indicate you'll need to compile the kernel driver for it, its 
not supported until kernel 3.1
the driver appears to be here, 
http://www.asix.com.tw/products.php?op=pItemdetail&PItemID=120;74;110&PLine=74 


when you've compiled a custom kernel driver, you'll need to remember to 
recompile it for each kernel update, unless you go through some serious 
dancing with (I forget the eTLA for the magic that causes the kernel 
installer to autocompile site-specific stuff)


>   On some other
> CentOS 6 systems with StarTech.com serial cards they were automatically
> recognized (different hardware and not PCIe based).

those cards undoubtedly used a different chip that's supported by the 
el6 kernel.


-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] suppressing openssh server identification

[Craig White]

With all of the discussions regarding getting p3wned, I am feeling paranoid and 
can't seem to figure out how to suppress this...

telnet $SOME_CENTOS_5_SERVER 22
Trying $SOME_IP_ADDRESS...
Connected to $SOME_CENTOS_5_SERVER.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3

'Banner no' doesn't do it. Is it possible to suppress the version?

-- 
Craig White ~ craig.wh...@ttiltd.com
1.800.869.6908 ~~ www.ttiassessments.com 

Need help communicating between generations at work to achieve your desired 
success? Let us help!

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

[John R Pierce]

On 01/05/12 2:11 PM, Pasi Kärkkäinen wrote:
> http://en.community.dell.com/techcenter/b/techcenter/archive/2012/01/03/dell-engineering-preview-oracle-11gr2-rac-on-rhel6.aspx
> http://en.community.dell.com/techcenter/enterprise-solutions/w/oracle_solutions/3336.aspx

the bottom line for Oracle Support is whatever Oracle says they 
support.  last I looked, EL6 wasn't on that list (nor is ANY version of 
CentOS)

http://docs.oracle.com/cd/E11882_01/install.112/e16763/pre_install.htm#CIHFICFD 


this doesn't mean it won't work, but what it does mean is that if 
something goes sideways on you, oracle won't help you one bit, and since 
you pay a substantial chunk of money annually for that precious support, 
its insane NOT to use a supported platform.




-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Serial port driver on CentOS 6

[Ljubomir Ljubojevic]

On 01/05/2012 11:10 PM, Alfred von Campe wrote:
> I installed CentOS 6 on a Dell Optiplex 790 with a StarTech.com dual serial
> port card, and the serial ports aren't being recognized.  According to dmesg,
> only the built-in serial port is being recognized:
>
> # dmesg | fgrep ttyS
> serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
> 00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
>
> And lspci -v doesn't show that any drivers are loaded for it:
>
> # lspci -v
> [snip]
> 03:00.0 Serial controller: NetMos Technology PCIe 9922 Multi-I/O Controller 
> (prog-if 02 [16550])
>  Subsystem: Device a000:1000
>  Flags: fast devsel, IRQ 16
>  I/O ports at 2010 [size=8]
>  Memory at e1a3 (32-bit, non-prefetchable) [size=4K]
>  Memory at e1a2 (32-bit, non-prefetchable) [size=4K]
>  Capabilities: [50] MSI: Enable- Count=1/8 Maskable- 64bit+
>  Capabilities: [78] Power Management version 3
>  Capabilities: [80] Express Legacy Endpoint, MSI 00
>  Capabilities: [100] Virtual Channel
>  Capabilities: [800] Advanced Error Reporting
>
> 03:00.1 Serial controller: NetMos Technology PCIe 9922 Multi-I/O Controller 
> (prog-if 02 [16550])
>  Subsystem: Device a000:1000
>  Flags: fast devsel, IRQ 17
>  I/O ports at 2000 [size=8]
>  Memory at e1a1 (32-bit, non-prefetchable) [size=4K]
>  Memory at e1a0 (32-bit, non-prefetchable) [size=4K]
>  Capabilities: [50] MSI: Enable- Count=1/8 Maskable- 64bit+
>  Capabilities: [78] Power Management version 3
>  Capabilities: [80] Express Legacy Endpoint, MSI 00
>  Capabilities: [100] Advanced Error Reporting
>
> What do I need to do to get these serial ports recognized?  On some other
> CentOS 6 systems with StarTech.com serial cards they were automatically
> recognized (different hardware and not PCIe based).
>

Check this thread:
https://www.centos.org/modules/newbb/viewtopic.php?topic_id=34250


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Serial port driver on CentOS 6

[Gé Weijers]

The magic is called DKMS.

-- 
Gé
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Serial port driver on CentOS 6

[John R Pierce]

On 01/05/12 2:26 PM, Gé Weijers wrote:
> The magic is called DKMS.

ah, I knew it was something like that but was too lazy to look up.   too 
many eTLA's [1]





[1] enhanced Three Letter Acronyms, eg, TLA's with more than 3 letters.  
old IBM joke.

-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

[Craig White]

On Jan 5, 2012, at 3:26 PM, John R Pierce wrote:

> this doesn't mean it won't work, but what it does mean is that if 
> something goes sideways on you, oracle won't help you one bit, and since 
> you pay a substantial chunk of money annually for that precious support, 
> its insane NOT to use a supported platform.

seems to me that the sanity issue was forefront at the point before when they 
chose to use Oracle in the first place but Larry loves you.

Reminds me of Animal House... "thank you sir, may I have another?"

Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] No eth0 on centos 6.2

[Jeff]

Thanks for the help and info!

-JT



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

[Hakan Koseoglu]

On 5 January 2012 22:11, Pasi Kärkkäinen  wrote:
> http://en.community.dell.com/techcenter/b/techcenter/archive/2012/01/03/dell-engineering-preview-oracle-11gr2-rac-on-rhel6.aspx
> http://en.community.dell.com/techcenter/enterprise-solutions/w/oracle_solutions/3336.aspx
And?

First paragraph from the first link clearly states, I quote from it:
DISCLAIMER: The following is Engineering Documentation provided by
Dell and is a technology preview only. At this time the following
configuration is not supported by Dell, Red Hat, or Oracle. The
contents of this article should be only viewed as an engineering
demonstration.

What's the point? There is no justification for having RHEL/CentOS or
even OEL6 and running a production Oracle instance on it. Months after
RH's certification submission, Oracle still refuses to certify these
platforms, even its own OEL6. If you are shelling out thousands, tens
of thousands, hundreds of thousands (or millions according to a
suggested architecture I reviewed today) for a customer, go and get a
supported OS.

If you have the time to tinker with it to get it working, excellent,
I'm sure plenty of lessons learned - I had it running on single DB
RHEL6 ages ago and it works fine. Will I suggest to a customer? No.
Will I risk any development on it? No. Will I recommend it to anyone?
No. I am running Oracle 11gR2 on my Kubuntu 11.10 work laptop and it
runs fine but the same applies - no recommendation to a customer, no
production instance, no test instance, no certification from Oracle
hence no support expected from them.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

[Hakan Koseoglu]

On 5 January 2012 22:47, Craig White  wrote:
> seems to me that the sanity issue was forefront at the point before when they 
> chose to use Oracle in the first place but Larry loves you.
>
There are plenty of good reasons for using Oracle DB products - it's
definitely one of the best out there - but I'm not sure I can say the
same about the price tag.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Serial port driver on CentOS 6

[Alfred von Campe]

Thanks for all the pointers.  I've downloaded the driver sources and
compiled/installed them, and the serial ports appear to be available
upon reboot (according to dmesg).

I'll look into building it with DKMS to make it easier to support with
future updates.

Thanks again,
Alfred

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

[Hakan Koseoglu]

On 5 January 2012 22:26, John R Pierce  wrote:
> this doesn't mean it won't work, but what it does mean is that if
> something goes sideways on you, oracle won't help you one bit, and since
> you pay a substantial chunk of money annually for that precious support,
> its insane NOT to use a supported platform.
I guess it depends on their mood. In various cases we raised with them
on behalf of the customers, they never said get lost after we
replicated it on a CentOS 5 running on VMWare in house - in both cases
they have rights to say get lost. In case of CentOS , as discussed
endlessly, it is not certified. For any non-Oracle-owned
virtualization solution they reserve the right to say "replicate on
physical hardware first". On the other hand, I can't recall a case we
had which had a cause originating from the OS itself on Linux at least
(AIX is a different story, there are a couple of those).

On the other hand the first nasty one will be the one you will
remember! All of our Linux customers use RHEL or OEL. When they ask
about CentOS, I always explain the Oracle's stand and clearly state
any CentOS instance would not be supported by Oracle even though we
have almost all of our in-house development instances running on it
and never had a problem that didn't also happen on a RHEL environment.
Once they start calculating the support costs against risk, they
realize that having a valid support agreement with Oracle and RHEL
actually makes sense. After you count for the Oracle licencing costs,
the RHEL support becomes peanuts and since it could invalidate Oracle
support, you are actually not saving any money. When the instance is
just a playpen, I definitely recommend CentOS.

Still, none of this matters for v6, I think we will have to wait for
Oracle 12c to come out to get OEL6 support, I am not sure about RHEL,
at least w/o so-called Unbreakable Kernel malarkey.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux and access across 'similar types'

[RILINDO FOSTER]

On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 01/05/2012 04:36 PM, Bennett Haselton wrote:
>> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
>> between similar types, so Apache running as httpd_t can read
>> /var/www/html/index.html of type httpd_sys_content_t."
>> 
>> however the doc doesn't define what "similar types" means.  I
>> assumed it just meant "beginning with the same prefix".  However
>> that can't be right because on my system with SELinux turned on,
>> httpd runs as type init_t:
>> 
>> [root@peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 
>> system_u:system_r:init_t:s0 root  2521  0.1  0.4  21680
>> 8820 ?Ss   05:05   0:00 /usr/sbin/httpd 
>> system_u:system_r:init_t:s0 apache2550  0.0  0.4  23364
>> 8920 ?S05:05   0:00 /usr/sbin/httpd 
>> system_u:system_r:init_t:s0 apache2551  0.1  0.4  22736
>> 8212 ?S05:05   0:00 /usr/sbin/httpd
>> 
>> and the robots.txt file has type file_t: [root@peacefire04 - /root
>> # ls -lZ /var/www/html/robots.txt -rw-rw-rw-  root root
>> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>> 
>> but Apache can of course access that file.  So in Type Enforcement,
>> what determines what process type can access what file type?
>> 
>> Bennett ___ CentOS
>> mailing list CentOS@centos.org 
>> http://lists.centos.org/mailman/listinfo/centos
> 
> 
> Your machine needs to be relabeled.
> 
> touch /.autorelabel
> reboot
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
> lFkAnjLTi3zphekGomv04ZyMu0sOuopg
> =cIvM
> -END PGP SIGNATURE-
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

WARNING: If you have never enabled SELinux for long time, the boot is going to 
take a while as the system relabels the whole machine. Do not do this unless 
you can plan for an extend downtime.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] c6, LSI megaraid drive failure notification

[Craig White]

On Jan 5, 2012, at 2:35 PM, John R Pierce wrote:

> On 01/05/12 1:09 PM, Craig White wrote:
>> I probably should have figured out a way to send you just a tarball but 
>> there really wasn't much else and certainly nothing of significance.
> 
> sigh, its doing the same thing as the code I 'fixed' from that blog I 
> posted earlier...
> 
># ./megaclisas-status
>-- Controller informations --
>-- ID | Model
>c0 | LSI MegaRAID SAS 9261-8i
> 
>-- Arrays informations --
>-- ID | Type | Size | Status | InProgress
> 
>-- Disks informations
>-- ID | Model | Status
> 
> 
> (I have 1 array and 36 disks on this controller)
> so the output format from MegaCli has probably changed just enough to 
> throw it off, so I need to refactor it.  meh.
> 
> I can't believe noone is running a late model MegaRAID SAS card with 
> Linux and doesn't require error status change notifications.

maybe it's the RAID controller you are using that isn't compatible with megacli 
or the version of megacli that you are using...

from dpkg -l megacli...
megacli  5.00.12-1  LSI Logic MegaRAID SAS MegaCLI

/usr/sbin/megaclisas-status
-- Controller informations --
-- ID | Model
c0 | Supermicro SMC2108

-- Arrays informations --
-- ID | Type | Size | Status | InProgress
c0u0 | RAID1 | 930G | Optimal | None

-- Disks informations
-- ID | Model | Status
c0u0p0 | 9XG06RH0ST91000640NS SN01 | Online
c0u0p1 | 9XG067L3ST91000640NS SN01 | Online

of course this is on Ubuntu so YMMV

Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Johnny Hughes]

On 01/05/2012 02:51 PM, Bennett Haselton wrote:
> On 1/5/2012 6:53 AM, Johnny Hughes wrote:
>> On 01/04/2012 07:47 PM, Bennett Haselton wrote:
>>> On 1/4/2012 1:59 PM, Lamar Owen wrote:
 [Distilling to the core matter; everything else is peripheral.]

 On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote:
> To be absolutely clear: Do you, personally, believe there is more than a
> 1 in a million chance that the attacker who got into my machine, got it
> by brute-forcing the password?  As opposed to, say, using an underground
> exploit?
 Here's how I see it breaking down:

 1.) Attacker uses apache remote exploit (or other means) to obtain
 your /etc/shadow file (not a remote shell, just GET the file without
 that fact being logged);
 2.) Attacker runs cloud-based (and/or CUDA accelerated) brute-forcer
 on 10,000,000 machines against your /etc/shadow file without your
 knowledge;
 3.) Some time passes;
 4.) Attacker obtains your password using distributed brute forcing of
 the hash in the window of time prior to you resetting it;
 5.) Attacker logs in since you allow password login.  You're pwned by
 a non-login brute-force attack.

 In contrast, with ssh keys and no password logins allowed:

 1.) Attacker obtains /etc/shadow and cracks your password after some
 time;
 2.) Attacker additionally obtains /root/.ssh/*
 3.) Attacker now has your public key.  Good for them; public keys
 don't have to be kept secure since it is vastly more difficult to
 reverse known plaintext, known ciphertext, and the public key into a
 working private key than it is to brute-force the /etc/shadow hash
 (part of the difficulty is getting all three required components to
 successfully reverse your private key; the other part boils down to
 factoring and hash brute-forcing);
 4.) Attacker also has root's public and private keys, if there is a
 pair in root's ~/.ssh, which may or may not help them.  If there's a
 passphrase on the private key, it's quite difficult to obtain that
 from the key;
 5.) Attacker can't leverage either your public key or root's key pair
 (or the machine key; even if they can leverage that to do MitM (which
 they can and likely will) that doesn't help them obtain your private
 key for authentication;
 6.) Attacker still can't get in because you don't allow password
 login, even though attacker has root's password.

 This only requires an apache httpd exploit that allows reading of any
 file; no files have to be modified and no shells have to be acquired
 through any exploits.  Those make it faster, for sure; but even then
 the attacker is going to acquire your /etc/shadow as one of the first
 things they do; the next thing they're going to do is install a
 rootkit with a backdoor password.

 Brute-forcing by hash-cracking, not by attempting to login over ssh,
 is what I'm talking about.
>>> I acknowledged that the first time I replied to someone's post saying a
>>> 12-char password wasn't secure enough.  I hypothesized an attacker with
>>> the fastest GPU-driven password cracker in the world (even allowing for
>>> 100-factor improvements in coming years) and it would still take
>>> centuries to break.  I understand about brute-forcing the hash vs.
>>> brute-forcing the login, but some others had posted about brute-forcing
>>> the login specifically and I was commenting on how ridiculous that was.
>>>
 This is what I mean when I say 'multilayer metasploit-driven attacks.'

 The weakest link is the security of /etc/shadow on the server for
 password auth (unless you use a different auth method on your server,
 like LDAP or other, but that just adds a layer, making the attacker
 work harder to get that all-import password).  Key based auth is
 superior, since the attacker reading any file on your server cannot
 compromise the security.

 Kerberos is better still.

 Now, the weakest link for key auth is the private key itself.  But
 it's better protected than any password is (if someone can swipe your
 private key off of your workstation you have bigger problems, and they
 will have your /etc/shadow for your workstation, and probably a
 backdoor.).  The passphrase is also better protected than the
 typical MD5 hash password, too.

 It is the consensus of the security community that key-based
 authentication with strong private key passphrases is better than any
 password-only authentication, and that consensus is based on facts
 derived from evidence of actual break-ins.
>>> Well yes, on average, password-authentication is going to be worse
>>> because it includes people in the sample who are using passwords like
>>> "Patricia".  Did they compare the break-in rate for systems with 12-char
>>> passwords vs. system

Re: [CentOS] c6, LSI megaraid drive failure notification

[John R Pierce]

On 01/05/12 1:35 PM, John R Pierce wrote:
> sigh, its doing the same thing as the code I 'fixed' from that blog I
> posted earlier...

ok, I've figured out the differences between what megaclisas-status 
expected and what megacli for these new sas cards generated, and hacked 
up the code to work with the version firmware I have, but it didn't 
really understand SAS enclosure numbering nor did it list the global 
hotspares:


# ./megaclisas-status
-- Controller informations --
-- ID | Model
c0 | LSI MegaRAID SAS 9261-8i

-- Arrays informations --
-- ID | Type | Size | Status | InProgress
c0u0 | RAID6 | 73668G | Optimal | Background Initialization: Completed 
79%, Taken 329 min.

-- Disks informations
-- ID | Model | Status
c0u0p0 | SEAGATE ST33000650SS 0003Z290SBNR | Online, Spun Up
c0u0p1 | SEAGATE ST33000650SS 0003Z290JX8W | Online, Spun Up
c0u0p2 | SEAGATE ST33000650SS 0003Z290WT5A | Online, Spun Up
c0u0p3 | SEAGATE ST33000650SS 0003Z290T04B | Online, Spun Up
c0u0p4 | SEAGATE ST33000650SS 0003Z290VL94 | Online, Spun Up
c0u0p5 | SEAGATE ST33000650SS 0003Z290VA0W | Online, Spun Up
c0u0p6 | SEAGATE ST33000650SS 0003Z290QGSF | Online, Spun Up
c0u0p7 | SEAGATE ST33000650SS 0003Z290QLYD | Online, Spun Up
c0u0p8 | SEAGATE ST33000650SS 0003Z290ML45 | Online, Spun Up
c0u0p9 | SEAGATE ST33000650SS 0003Z290TCLW | Online, Spun Up
c0u0p10 | SEAGATE ST33000650SS 0003Z290X68R | Online, Spun Up
c0u0p0 | SEAGATE ST33000650SS 0003Z290LC8R | Online, Spun Up
c0u0p1 | SEAGATE ST33000650SS 0003Z290PG2G | Online, Spun Up
c0u0p2 | SEAGATE ST33000650SS 0003Z290N3MF | Online, Spun Up
c0u0p3 | SEAGATE ST33000650SS 0003Z290BD3Q | Online, Spun Up
c0u0p4 | SEAGATE ST33000650SS 0003Z290BDL4 | Online, Spun Up
c0u0p5 | SEAGATE ST33000650SS 0003Z290R7DJ | Online, Spun Up
c0u0p6 | SEAGATE ST33000650SS 0003Z2908KHH | Online, Spun Up
c0u0p7 | SEAGATE ST33000650SS 0003Z290BDCN | Online, Spun Up
c0u0p8 | SEAGATE ST33000650SS 0003Z290QR9Q | Online, Spun Up
c0u0p9 | SEAGATE ST33000650SS 0003Z290TDTE | Online, Spun Up
c0u0p10 | SEAGATE ST33000650SS 0003Z290PTX5 | Online, Spun Up
c0u0p0 | SEAGATE ST33000650SS 0003Z290PSZ2 | Online, Spun Up
c0u0p1 | SEAGATE ST33000650SS 0003Z290S8LH | Online, Spun Up
c0u0p2 | SEAGATE ST33000650SS 0003Z290QYX2 | Online, Spun Up
c0u0p3 | SEAGATE ST33000650SS 0003Z290MY22 | Online, Spun Up
c0u0p4 | SEAGATE ST33000650SS 0003Z290MY43 | Online, Spun Up
c0u0p5 | SEAGATE ST33000650SS 0003Z290LGTG | Online, Spun Up
c0u0p6 | SEAGATE ST33000650SS 0003Z290TXHX | Online, Spun Up
c0u0p7 | SEAGATE ST33000650SS 0003Z290R0AE | Online, Spun Up
c0u0p8 | SEAGATE ST33000650SS 0003Z290L1D5 | Online, Spun Up
c0u0p9 | SEAGATE ST33000650SS 0003Z290TLGX | Online, Spun Up
c0u0p10 | SEAGATE ST33000650SS 0003Z290TQW7 | Online, Spun Up

(note all the disks are c0u0, which is way wrong, my disks are 
20:0-20:11 and 45:0-45:23)



  so I took the OTHER one I'd found and saw that it WAS setup for SAS 
enclosure info, and on my test system generates this output...

# ./lsi-raidinfo
-- Controllers --
-- ID | Model
c0 | LSI MegaRAID SAS 9261-8i

-- Volumes --
-- ID | Type | Size | Status | InProgress
volinfo: c0u0 | RAID6 | 73668G | Optimal | Background Initialization: 
Completed 77%, Taken 303 min.

-- Disks --
-- Encl:Slot | Model | Status
diskinfo: 20:0 | SEAGATE ST33000650SS 0003Z290SBNR | Online, Spun Up
diskinfo: 20:1 | SEAGATE ST33000650SS 0003Z290JX8W | Online, Spun Up
diskinfo: 20:2 | SEAGATE ST33000650SS 0003Z290WT5A | Online, Spun Up
diskinfo: 20:3 | SEAGATE ST33000650SS 0003Z290T04B | Online, Spun Up
diskinfo: 20:4 | SEAGATE ST33000650SS 0003Z290VL94 | Online, Spun Up
diskinfo: 20:5 | SEAGATE ST33000650SS 0003Z290VA0W | Online, Spun Up
diskinfo: 20:6 | SEAGATE ST33000650SS 0003Z290QGSF | Online, Spun Up
diskinfo: 20:7 | SEAGATE ST33000650SS 0003Z290QLYD | Online, Spun Up
diskinfo: 20:8 | SEAGATE ST33000650SS 0003Z290ML45 | Online, Spun Up
diskinfo: 20:9 | SEAGATE ST33000650SS 0003Z290TCLW | Online, Spun Up
diskinfo: 20:10 | SEAGATE ST33000650SS 0003Z290X68R | Online, Spun Up
diskinfo: 45:11 | SEAGATE ST33000650SS 0003Z290V4PZ Hotspare Information 
| Hotspare, Spun down
diskinfo: 45:0 | SEAGATE ST33000650SS 0003Z290LC8R | Online, Spun Up
diskinfo: 45:1 | SEAGATE ST33000650SS 0003Z290PG2G | Online, Spun Up
diskinfo: 45:2 | SEAGATE ST33000650SS 0003Z290N3MF | Online, Spun Up
diskinfo: 45:3 | SEAGATE ST33000650SS 0003Z290BD3Q | Online, Spun Up
diskinfo: 45:4 | SEAGATE ST33000650SS 0003Z290BDL4 | Online, Spun Up
diskinfo: 45:5 | SEAGATE ST33000650SS 0003Z290R7DJ | Online, Spun Up
diskinfo: 45:6 | SEAGATE ST33000650SS 0003Z2908KHH | Online, Spun Up
diskinfo: 45:7 | SEAGATE ST33000650SS 0003Z290BDCN | Online, Spun Up
diskinfo: 45:8 | SEAGATE ST33000650SS 0003Z290QR9Q | Online, Spun Up
diskinfo: 45:9 | SEAGATE ST33000650SS 0003Z290TDTE | Online, Spun Up
diskinfo: 45:10 | SEAGATE ST33000650SS 0003Z290PTX5 | Online, Spun Up
diskinfo: 45:11 | SEAGATE ST33000650SS 00039XK0EW80 Hotspare Information 
| Hotspare, Spun down
diskinfo: 45:12 | SEAGATE ST3

Re: [CentOS] Serial port driver on CentOS 6

[Ljubomir Ljubojevic]

On 01/06/2012 12:10 AM, Alfred von Campe wrote:
> I'll look into building it with DKMS to make it easier to support with
> future updates.

There is also kmod way of building driver modules, that uses 
weak-updates to be available for every future kernel with same ABI/KABI 
automatically. ElRepo repository does it's modules in such manner. You 
should check it, maybe even ask for their help.


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] c6, LSI megaraid drive failure notification

[John R Pierce]

On 01/05/12 3:23 PM, Craig White wrote:
> maybe it's the RAID controller you are using that isn't compatible with 
> megacli or the version of megacli that you are using...

brand new 9261-8i SAS2 controller definitely works 100% with the latest 
MegaCLI64 I got from LSI Logic (installed from an RPM)   from what 
I'm gathering, megacli the program simply passes the command line to the 
card's firmware, which does all the processing and output generation, 
and this output format is human readable, resulting in parsing 
nightmares when it changes.

# rpm -qf /opt/MegaRAID/MegaCli/MegaCli64
MegaCli-8.02.16-1.i386

# /opt/MegaRAID/MegaCli/MegaCli64 showsummary a0

System
 Operating System:  Linux version 2.6.32-220.el6.x86_64
 Driver Version: 00.00.05.40-rh2
 CLI Version: 8.02.16

Hardware
 Controller
  ProductName   : LSI MegaRAID SAS 9261-8i(Bus 0, Dev 0)
  SAS Address   : 500605b0032943d0
  FW Package Version: 12.12.0-0046
  Status: Optimal
(300 more lines of drives and stuff deleted)

anyways, I think I should take this discussion off this CentOS mail 
list, as its really not CentOS specific, its an LSI Logic generic 
problem.  I've got enough info now to figure out how to do my own 
parser, I believe I'll use that ShowSummary command rather than the 
LDInfo/PDInfo commands used by the other scripts.


-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux and access across 'similar types'

[Bennett Haselton]

On 1/5/2012 3:14 PM, RILINDO FOSTER wrote:
> On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On 01/05/2012 04:36 PM, Bennett Haselton wrote:
>>> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
>>> between similar types, so Apache running as httpd_t can read
>>> /var/www/html/index.html of type httpd_sys_content_t."
>>>
>>> however the doc doesn't define what "similar types" means.  I
>>> assumed it just meant "beginning with the same prefix".  However
>>> that can't be right because on my system with SELinux turned on,
>>> httpd runs as type init_t:
>>>
>>> [root@peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
>>> system_u:system_r:init_t:s0 root  2521  0.1  0.4  21680
>>> 8820 ?Ss   05:05   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t:s0 apache2550  0.0  0.4  23364
>>> 8920 ?S05:05   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t:s0 apache2551  0.1  0.4  22736
>>> 8212 ?S05:05   0:00 /usr/sbin/httpd
>>>
>>> and the robots.txt file has type file_t: [root@peacefire04 - /root
>>> # ls -lZ /var/www/html/robots.txt -rw-rw-rw-  root root
>>> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>>>
>>> but Apache can of course access that file.  So in Type Enforcement,
>>> what determines what process type can access what file type?
>>>
>>> Bennett ___ CentOS
>>> mailing list CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>
>> Your machine needs to be relabeled.
>>
>> touch /.autorelabel
>> reboot
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
>> lFkAnjLTi3zphekGomv04ZyMu0sOuopg
>> =cIvM
>> -END PGP SIGNATURE-
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> WARNING: If you have never enabled SELinux for long time, the boot is going 
> to take a while as the system relabels the whole machine. Do not do this 
> unless you can plan for an extend downtime.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
I did do
touch /.autorelabel
reboot

The machine booted back up in just a few minutes, what looked like 
normal reboot time.  And then I ran the same commands as before and got 
what looks to me like the same output:

[root@peacefire04 - /root # ls -lZ /var/www/html/robots.txt
-rw-rw-rw-  root root system_u:object_r:file_t:s0  
/var/www/html/robots.txt
[root@peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
system_u:system_r:init_t:s0 root  2530  0.0  0.4  21680  8820 
?Ss   16:23   0:00 /usr/sbin/httpd
system_u:system_r:init_t:s0 apache2558  0.8  0.8  28308 16392 
?S16:23   0:03 /usr/sbin/httpd
system_u:system_r:init_t:s0 apache2560  0.5  0.5  23248 10236 
?S16:23   0:02 /usr/sbin/httpd

So I'm wondering:
1) How did you know that the machine needed to be relabeled, was it 
something in the output of the commands the first time I ran them? and 
in that case,
2) Why didn't it change after I created /.autorelabel and rebooted?
(I can confirm the file /.autorelabel is no longer present, so it must 
have been deleted when the auto-relabel was done, like the doc says.)
3) If the machine booted back up very quickly, should I be worried that 
the autorelabel might not have happened?  Any idea if it logs a message 
somewhere if it fails to start properly?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Kernel panic after install in cento6 before mounting root file system rw

[Jason Pyeron]

I am hopelessly trying to debug a new install of 6.2 x86_64. I used the minimal
install with default options. Unfortunately the screen garbles during the kernel
panic. Scroll/Num lock lights are blinking.

1. Where can I find debugging steps? (tried rescue and mount to read /var/log,
but no values written since it is still in RO mode)

2. Where are the keyboard blink codes documented?

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Kernel panic after install in cento6 before mounting rootfile system rw

[Jason Pyeron]

> -Original Message-
> From: Jason Pyeron
> Sent: Thursday, January 05, 2012 19:44
> Subject: [CentOS] Kernel panic after install in cento6 before 
> mounting rootfile system rw
> 
> I am hopelessly trying to debug a new install of 6.2 x86_64. 
> I used the minimal install with default options. 
> Unfortunately the screen garbles during the kernel panic. 

Correction: Caps/Scroll lock lights are blinking.



> 
> 1. Where can I find debugging steps? (tried rescue and mount 
> to read /var/log, but no values written since it is still in RO mode)
> 
> 2. Where are the keyboard blink codes documented?
> 
> -Jason


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] swap labeling annoyance

[Jorge Fábregas]

On 01/05/2012 06:14 PM, m.r...@5-cent.us wrote:
> mkswap -L SWAP-sda3 /dev/sda3

Hi,

I didn't know you could create a label within the mkswap command.  I
always used "e2label" as in:

e2label /dev/sda2 myswap

Try it with e2label just in case.  Also, are you able to activate the
swap using just the block device as reference?

--
Jorge
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[email builder]

> 1.) Attacker uses apache remote exploit (or other means) to obtain

>  your /etc/shadow file (not a remote shell, just GET the file 
> without that fact being logged);

I don't mean to thread-hijack, but I'm curious, if apache runs as its
own non-root user and /etc/shadow is root-owned and 0400, then
how could any exploit of software not running as root ever have
access to that file??
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sa-update error with perl

[email builder]

>>>   Hmm, OK, prioritze CentOS repo over RepoForge then will yum update

> 
>>>   figure out the rest?  I don't see any priority settings in my yum 
> conf 
>>>   files...
>> 
>>  # yum list | grep priorities
>>  yum-priorities.noarch  1.1.16-16.el5.centos    
> installed
>> 
>>  # cat /etc/yum/pluginconf.d/priorities.conf 
>>  [main]
>>  enabled = 1
>>  check_obsoletes=1
>> 
>>  Then add "priority=n" to the repos sections.
>>  n=1 for CentOS
>>  n=2 for repo 2
>>  etc...
> 
> Ah, it's a separate package.  OK thanks for the info!
> 
> But before I try that, I'm wondering, shouldn't it be easy
> from the error message to simply understand what package
> is creating the problem?
> 
> It turns out it's not sa-update specifically doing this, but the
> restart of spamassassin itself:
> 
> /etc/init.d/spamassassin condrestart
> 
> Stopping spamd: [  OK  ]
> Starting spamd: Subroutine Net::DNS::Resolver::Base::AF_INET6 redefined at 
> /usr/lib/perl5/5.8.8/Exporter.pm line 65.
>  at 
> /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/Net/DNS/Resolver/Base.pm
>  
> line 66
> [  OK  ]
> 
> I've ensured that my spamassassin, perl-Net-DNS and
> per-IO-Socket-INET6 packages are all from the CentOS
> repo, so is it just a crap shoot to find what is causing
> this?  I'd expect the error message to be more helpful
> than that...
> 
> Recap on my versions:
> 
> perl-IO-Socket-INET6-2.51-2.fc6
> perl-Net-DNS-0.59-3.el5
> spamassassin-3.3.1-2.el5

In fact, it was suggested on the spamassassin list that version
0.59-3.el5 is vastly out of date and known to be buggy and,
contrary to the suggestion here of ensuring I prioritize CentOS
repos, I would be better served to get the newer version of 
per-Net-DNS from the RepoForge (extras) repository.  

Other thoughts (on this or my main question in my last email
above) would be greatly appreciated.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Corey Henderson]

On 1/5/2012 9:13 PM, email builder wrote:
>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>
>>   your /etc/shadow file (not a remote shell, just GET the file
>> without that fact being logged);
>
> I don't mean to thread-hijack, but I'm curious, if apache runs as its
> own non-root user and /etc/shadow is root-owned and 0400, then
> how could any exploit of software not running as root ever have
> access to that file??
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

It's possible if the kernel is vulnerable to a local root exploit, and 
the attacker who gained entry to the system via apache, was able to use 
it and elevate privileges.

-- 
Corey Henderson
http://cormander.com/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] an actual hacked machine, in a preserved state

[Les Mikesell]

On Thu, Jan 5, 2012 at 10:13 PM, email builder  wrote:
>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>
>>  your /etc/shadow file (not a remote shell, just GET the file
>> without that fact being logged);
>
> I don't mean to thread-hijack, but I'm curious, if apache runs as its
> own non-root user and /etc/shadow is root-owned and 0400, then
> how could any exploit of software not running as root ever have
> access to that file??

Apache starts as root so it can open port 80.  Certain bugs might
happen before it switched to a non-privileged user.  But, a more
likely scenario would be to get the ability to run some arbitrary
command through an apache, app, or library vulnerability, and that
command would use a different kernel, library, or suid program
vulnerability to get root access.  Look back through the update
release notes and you'll find an assortment of suitable bugs that have
been there...

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos